how can a firewall box handle virus?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
tz180). Sounds attractive. But how does it work?

Let's say I'm downloading a pop3 email. Does the firewall stores the entire
email and attachment, scan it for virus, then forward it on if it's clean?
And if the attachment has a virus, can it strip out the attachment only and
forward the rest of the email? This sounds too good to be true. And wouldn't
this require a hard drive for the firewall?

Similar question for how it handles spyware, trojans, etc.



Re: how can a firewall box handle virus?
Quoted text here. Click to load it

No. It just inspects it while it is downloading just like any other
antivirus software does. They start at the beginning and end at the
end. You only need a small buffer for that.

But it also does not work miracles. It does not forward anything "if
it's clean". It only recognizes for what it has signatures. It won't
recognize the newest malware until the signatures have it. It won't
recognize very rare malware. It will also recognize things which are
not bad. It will also recognize malware which is actually not
dangerous on your computer because your computer is not vulnerable.

So basically, it may find a few things but it is still and always you
who has to decide what's clean or not.

Gerald


Re: how can a firewall box handle virus?

Quoted text here. Click to load it

While this sorts out 99% of the crap, there's enough worms out there
that send themselves as ZIP (encrypted, even...).

Virus scanners on mailservers usually try to unpack the archive files
and remove those files from the content that still look dangerous. But
even that is growing more and more difficult - the latest bugs in
Acrobat mean that every PDF could be a problem :-(

Juergen Nieveler
--
A man is only a man, but a good bicycle is a ride.

Re: how can a firewall box handle virus?
Juergen Nieveler wrote:
Quoted text here. Click to load it

yeah I have been seeing these spammails with pdf atachments,what's the
bug/exploit ?

any hints appreciated

M



Re: how can a firewall box handle virus?
Quoted text here. Click to load it

FTR: those usually don't contain exploits but use PDF merely to evade
keyword or pattern detection of spam filters. However, since there have
been exploitable vulnerabilities in various PDF readers, PDF can't be
considered a "safe" attachment. In fact there are no inherently "safe"
attachments.

If the program handling the attached file has an exploitable bug, then
an exploit contained in the attached file may lead to compromisation of
your system once you open the attachment. Meaning that for every type of
attachment there's a nonzero chance that it may contain malware at some
point.

Quoted text here. Click to load it

google://acrobat+vuln

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: how can a firewall box handle virus?
juergen.nieveler.nospam@arcor.de says...
Quoted text here. Click to load it

Yep, we actually block Zip files except from a specific user account
that only admins can reach. In addition to blocking at the firewall
based on mime type we also use SMTP aware scanners that scan before the
email/attachment reaches the mail server itself.  Nothing is perfect,
but we've never had a compromised client in more than 20 years.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?
Quoted text here. Click to load it

If that is the case, the firewall may let half an email pass through, detect
a virus, and cut off the rest of the email?

I guessed I wasn't clear. What I want to know is, if one of the email I'm
downloading via pop3 has a virus and is detected by such firewall, what does
it do? Delete one ethernet frame? Delete the rest of the session? Delete
from the start of the signature till the end of the virus (assuming its
virus database has length info)?

What if the virus' signature pattern happens to cross an ethernet packet
boundary, would it still be detected? The firewall would have to be able to
remove low and higher level network headers in order to piece multiple
packets into one data stream to scan for virus. But if it is smart enough to
do this, why not store, scan, and forward attachment if no virus is found?

Similarly, if a spyware is detected by such firewall while I'm downloading
an activeX control, what does it do? Delete the data until the end of the
activeX control data stream (assuming it can tell where the activeX ends)?



Re: how can a firewall box handle virus?
peter wrote:

Quoted text here. Click to load it

i can't believe these guys keep going at it, meanwhile nobody answers *this*
questions

M

Re: how can a firewall box handle virus?
says...
Quoted text here. Click to load it

And I wonder why the OP or you have not contacted ANY of the firewall
vendors that offer UTM and asked them how their products work.

Every single firewall vendor has a sales department and they can direct
you to a technical source in their chain that will answer questions that
the sales people can't answer - and it will be specific to their
product.

Some vendors manage those functions differently than others - you don't
know how the product you want to use does it unless you ask the specific
vendor.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?
Quoted text here. Click to load it

Well, hopefully the firewall doesn't scan on layer 2, but layer 3 and
above. Because layer 2 doesn't know anything about POP3, or sessions, or
streams. Like, at all.

Quoted text here. Click to load it

It all depends on how the firewall actually works. Does it inspect
packets on layer 2? Layer 3? Layer 4+? Does it reassemble packets to
reconstruct data streams? Does it proxy connections?

Normally I would assume that the firewall will proxy the connection, so
that the mail (in case of POP3) or web page (in case of HTTP) is
downloaded by the firewall, scanned and then either discarded or
forwarded to the user originally requesting the mail/web page.

However, like I already said, it all depends on what the firewall
actually does, i.e. how it was implemented by the manufacturer.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: how can a firewall box handle virus?


vogt@spamcop.net says...
Quoted text here. Click to load it

That's why yo use your own email server and then block attachments by
mime type - and then you block anything that could be malicious by file
type (mime type).

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?


Quoted text here. Click to load it

So you are saying that viruses only come through e-mail? Or how is
this comment exactly related with the firewall box which scans the
network traffic for viruses?

Gerald


Re: how can a firewall box handle virus?


vogt@spamcop.net says...
Quoted text here. Click to load it

I believed that the OP mentioned POP in his question, I addressed that
part. How could you miss that?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?


Quoted text here. Click to load it

The OP mentioned Trojan. Do we discuss Trojans now?

How did you miss that it is about a firewall box (see subject)? POP
was an example to illustrate that he does not know how the firewall
filters the network traffic for malware. Isn't the "Let's say..." in
the OP clear enough? Thus you are dragging this off-topic by
discussing email servers as that does not explain "how the firewall
box handles virus".

Gerald


Re: how can a firewall box handle virus?


vogt@spamcop.net says...
Quoted text here. Click to load it

Gerald - don't request Follow-Up by email, this is Usenet and that's
where the thread should stay.

I don't know what your problem is, but the op mentioned POP and that's
the part I replied to, specifically, get over yourself. My explanation
discussed how a firewall can be used to remove malware from email, which
was something the OP should be aware of as part of an overall
email/malware discussion.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?


Leythos wrote:
Quoted text here. Click to load it

The thread is off-topic because it has nothing to do with what the OP
asked. That's why it is fup poster.

Quoted text here. Click to load it

?? Where exactly is the firewall in your explanation:

"That's why yo use your own email server and then block attachments by
mime type - and then you block anything that could be malicious by file
type (mime type)."

I don't think that "email server" is generally considered the same as
"firewall".

Quoted text here. Click to load it

It still won't help to understand how the firewall box scans for viruses.

Unless you have anything to say which is relevant to the original
question how a firewall box filters for viruses, this is off-topic, fup
poster, and EOD.

Gerald

Re: how can a firewall box handle virus?


vogt@spamcop.net says...
Quoted text here. Click to load it

And since you don't own or moderate the group, it's not your place to
declare something off-topic, and when you don't understand something,
and when you can't comprehend, it doesn't make it OT.

Quoted text here. Click to load it

Read it again, asince this was a firewall discussion, it would make
sense that a firewall might protect an email server. Yea, I didn't spell
it out, but then I didn't expect to have some asshole jump into it and
try to moderate the thread.

Quoted text here. Click to load it

That would be the first thing you've got right today.

Quoted text here. Click to load it

INTERNET >> FW >> NETWORK >> EMAIL SERVER & Workstations

So, by implementing a firewall with SMTP Proxy service you can remove
attachment types (based on mime types) and eliminate most of the
threats, and since most people would also have SMTP aware AV software,
the PDF's and Zip files would also be checked as definitions become
available.

So, get off your high-horse, quit acting like an asshole, and realize
that there are a lot of people that know a lot more than you.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?


Leythos wrote:
Quoted text here. Click to load it

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

Quoted text here. Click to load it

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

Quoted text here. Click to load it

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

Quoted text here. Click to load it

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

Quoted text here. Click to load it

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

I don't know your definition of 'off-topic'. But can you be any more
off-topic from the OP? Anything you write about is what you brought
up but which is unrelated to the OP. Why do you think a generic
firewall discussion about something is applicable only because the
subject contains "firewall" or the group has "firewall" in the name?

But all you write has nothing to do with the question of the OP. Even
your strange requirement that you should use your email server to
firewall is odd, because you can still use the same firewall to filter
the traffic from any external email server to your computer via POP or
IMAP.

Thus, maybe you could write something on-topic and explain how the
firewall does it exactly? "How can a firewall box handle virus?"
Setting
up your own e-mail server has nothing to do with that nor is a
requirement to make some use of a virus filtering firewall box...

Gerald


Re: how can a firewall box handle virus?


vogt@spamcop.net says...
Quoted text here. Click to load it

Nice selective snipping on your trolling part.

Now, maybe if you had been just a little smarter you might have been
able to read the rest of his post and see this part:

"
Let's say I'm downloading a pop3 email. Does the firewall stores the
entire email and attachment, scan it for virus, then forward it on if
it's clean?
"

Notice the OP asking about POP3 now?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
  drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?


Leythos wrote:
Quoted text here. Click to load it

Notice the "Let's say" which clearly indicates that this is an example
to explain which kind of problem the OP has. POP3 is only one example.
The question covers all protocols. POP3 was just picked as example. All
you wrote won't explain how the firewall will scan HTTP, FTP, or IM
traffic for malware, or may filter Java applets, etc.

The question is broader then the example. It is useless to poke on the
e-mail server as it does not cover HTTP, FTP, IM or any other network
protocol which may be scanned for malware.

And everything you wrote still does not explain how the firewall works
in regard to the question related to the e-mail scanning: "Does the
firewall stores the entire email and attachment, scan it for virus, then
forward it on if it's clean?"

But you don't answer this question either. You don't explain how the
firewall would scan e-mails for malware. Filtering certain mime types is
  obviously something different than scanning for viruses. Your comment
could be simply extended to "block all e-mail traffic". This way the
firewall would also effectively stop all incoming malware through
e-mails. But still, the firewall would not scan the e-mails for malware.
It would just filter a port...

So, why don't you simply answer the question how the firewall works? You
know the example but even there you don't explain how it works. How does
a virus scanner on a network firewall work? How does it scan network
traffic like smtp, imap, pop3, http, ftp, any IM protocol, etc. for
malware? To repeat rephrase the example in the OP: "Let's say I'm
downloading a 100MB file via ftp. Does the firewall store the entire
download, scan it for virus, then forward it on if it's clean?"

But I guess it is futile to ask for answers from you. You would only
poke around some details in the FTP protocol and would say that you
would filter certain file extensions from downloading... Still does not
explain the question but you have you buzzword "FTP" thus it is time for
you to elaborate on FTP...

Gerald

P.S.: still off-topic thus fup poster.

Site Timeline