Re: [Snort-inline-users] General anti-virus capabilities

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ken Hilliard wrote:
> I found your project on the ClamAV website. What I=92d like to know is
> what are the general limitations using this type of scheme for
> anit-virus protection for LAN workstations behind the firewall? For
> example, when using a web proxy anti-virus solution the software must
> completely buffer long web file downloads before it can do virus
> scanning. I don=92t see how this could be done using iptables were you
> have to =93vote=94 on a packet-by-packet basis. Secondly, is the curren=
t
> inline snort version suitable for production use?

Hi Ken,

The ClamAV preprocessor in Snort is not a replacement for a HTTP Proxy
Scanner or a AV Smtp Gateway. Due to the nature of the scanner, we scan
only raw and incomplete data. So there is no mime decoding, unzipping,
or any other preprocessing of the data. Still, i can catch (and block)
viruses in Msn, Smb, Imap, Pop3, Ftp, Http. Maybe not all of then, but i
see it as an extra layer of protection.

Regards,
Victor