HTTP Anti-Virus Proxy :: View topic

To increase (greatly, i guess) performance it would be great to have an opportunity to tell HAVP which server replies need to be passed to AV scanner, and which should be returned direct to client without any future checks. This should be defined depending on URL and/or response MIME type .

For example image/gif, image/jpeg or, saying, text/plain responses need no check at all. But application/octet-stream or application/java-script responses must be checked always.

Author:	Jared [ 23 Jun 2006 18:30 ]
Post subject:	Selective AV check.
To increase (greatly, i guess) performance it would be great to have an opportunity to tell HAVP which server replies need to be passed to AV scanner, and which should be returned direct to client without any future checks. This should be defined depending on URL and/or response MIME type. For example image/gif, image/jpeg or, saying, text/plain responses need no check at all. But application/octet-stream or application/java-script responses must be checked always. Now HAVP passes ALL data coming from web server to AV scanner, if im not mistaken.

Author:	Christian [ 23 Jun 2006 19:16 ]
Post subject:	Re: Selective AV check.
Jared wrote: To increase (greatly, i guess) performance it would be great to have an opportunity to tell HAVP which server replies need to be passed to AV scanner, and which should be returned direct to client without any future checks. This should be defined depending on URL and/or response MIME type . We have a URL black/whitelist at the moment. Jared wrote: For example image/gif, image/jpeg or, saying, text/plain responses need no check at all. But application/octet-stream or application/java-script responses must be checked always. Filtering by MIME reduce security. The server could fake wrong MIME type. And there are also expolits in pictures. But I'm also thinking about this feature...

Author:	hege [ 23 Jun 2006 19:41 ]
Post subject:
Yes, trusting MIME-types is very silly. We could implement libmagic into HAVP, so it could detect file types properly, but I don't know what would be the gain from it? Scanning images and text takes very little resources, and checking magic for every file would actually mean we had an "extra scanner" taking resources. I could understand if someone was in an environment with 10000 users and 500MHz CPU available? But really, CPU is cheap these days. Archive scanning probably is the most expensive thing, you could just limit that to gain some performance. It's always a trade-off as it would be very expensive to fully scan them. They should be mostly left to workstation scanners. Cheers, Henrik

Author:	hege [ 23 Jun 2006 20:17 ]
Post subject:
But to have some good news anyways, I'll probably add simple magic image detection, so you can disable scanning for them. I need to add some ZIP detection too to fix handling of them, so it's easy to do.. If you take the (real) risk of image exploits, you can reduce scanning quite a lot then. Cheers, Henrik

HTTP Anti-Virus Proxy http://havp.hege.li/forum/

Selective AV check. http://havp.hege.li/forum/viewtopic.php?f=4&t=143	Page 1 of 1

Page 1 of 1	All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/