Anti-virus and squid integration. Any hacker ?

Hi all,

I have been looking around, I have installed a few squid+ Trend's
interscan VirusWall, and I come to a conclusion :

Squid is the best proxy, while Interscan VirusWall is the best
anti-virus.

The problem comes from the fact that Interscan needs to act as a proxy
itself, and it does it far from nearly as well as squid, while Squid
offers no anti-virus protection, which is a bad thing for the windows
users.

What I would like to come up with is the following :
* Squid does its work the exact same way, except that it pipes all the
datastream (only when not from cache) to an anti-virus API (kind of
CVP, but needs to be more "real-time"), reads the pipe back from the
corresponding API, and treats the dataflow the squid way.
* The anti-virus gives an API to their application, allowing any
dataflow to be controlled by the anti-virus.

This seems like it is a very flexible model, as it allows for other
proxies integration of the anti-virus magic in synchronous connections
(pop3, imap, rcp, etc.)

Back to squid :

How do the squid hackers estimate it could be done in the squid piece
of software, and how much work would be involved in writing a hook in
the piece of code called for retrievals from the Internet, so that it
calls an anti-virus api ?

The problems I have with the current solution of chaining the squid
and the anti-virus is the following :
1) user -> anti-virus -> squid -> Internet : bad
* every file, even cached files are checked each time for viruses
* squid great features (authentification, user dependant redirector,
user-dependant delay pools, etc.) get broken
* The squid cache gets virii, and running the anti-virus software on
the cache files is dangerous

2) user -> squid -> AV -> Internet
* Much better, but some nice features of squid are not implemented as
well in the AV (limiting downstream bandwidth, nice icons on ftp
directories, etc.

3) user -> squid -> AV -> proxy-only squid -> Internet
* pretty well, every nice feature is there, exepted that the outmost
squid can't differentiate the users. mainly no user delay pools.
* but what a configuration nightmare ;-/

Paul Boyer

PS: As an official partner of Trend on its Linux product (because
there is no free software anti-virus out there, we otherwise
distribute only OSS security solutions), my company can pretty much
get involved in an effort to join the efforts on the 2 products, in
order to get a better security solution.
As a company and as a person as well, I'd love to contribute to the
effort
Received on Tue May 30 2000 - 16:56:47 MDT