HTTP Anti-Virus Proxy

To increase (greatly, i guess) performance it would be great to have an opportunity to tell HAVP which server replies need to be passed to AV scanner, and which should be returned direct to client without any future checks. This should be defined depending on URL and/or response MIME type.

For example image/gif, image/jpeg or, saying, text/plain responses need no check at all. But application/octet-stream or application/java-script responses must be checked always.

Now HAVP passes ALL data coming from web server to AV scanner, if im not mistaken.

We have a URL black/whitelist at the moment.



Filtering by MIME reduce security. The server could fake wrong MIME type. And there are also expolits in pictures. But I'm also thinking about this feature...

Yes, trusting MIME-types is very silly. We could implement libmagic into HAVP, so it could detect file types properly, but I don't know what would be the gain from it? Scanning images and text takes very little resources, and checking magic for every file would actually mean we had an "extra scanner" taking resources.

I could understand if someone was in an environment with 10000 users and 500MHz CPU available? But really, CPU is cheap these days.

Archive scanning probably is the most expensive thing, you could just limit that to gain some performance. It's always a trade-off as it would be very expensive to fully scan them. They should be mostly left to workstation scanners.

Cheers,
Henrik

But to have some good news anyways, I'll probably add simple magic image detection, so you can disable scanning for them. I need to add some ZIP detection too to fix handling of them, so it's easy to do..

If you take the (real) risk of image exploits, you can reduce scanning quite a lot then.

Cheers,
Henrik