Re: [squid-users] What Virus Scanning software runs "nicely" withSquid?

On Thu, Oct 24, 2002 at 08:26:18AM -0400, Jerry Murdock wrote:
> Jumping in here..
>
> ----- Original Message -----
> From: "Michael Hayder" <mic-lists-squid@wlug.de>
> To: "Mailinglist squid" <squid-users@squid-cache.org>
> Sent: Thursday, October 24, 2002 4:26 AM
> Subject: RE: [squid-users] What Virus Scanning software runs "nicely"
> withSquid?
>
>
> > Am Mit, 2002-10-23 um 23.58 schrieb Carmelo A. Zizza:
> > > TrendMicro you can find it at http://www.antivirus.com. You can also
> > Hi,
> > I had a look at this page many times ..... but which product do you mean
> > exactly.
>
> VirusWall
>
> > Do you use this stuff in a production environment ???
>
> Yes - several.
>
> > Any lost of performance ???
>
> Some - but there's no avoiding it. Your adding an extra layer of
> proxying, and delivery of files to the client is delayed until the
> complete file is received by Viruswall for scanning.
>
> I minimize both problems with judicious use of always_direct acl's.

Do You also use "never_direct" to make sure that an unreachable
viruswall (high load, segfaults/hangs, mistake) does not lead to
bypassing it? Or isn't that nesseccary?

> I
> generally run Viruswall as a parent proxy to my squid. I see no need to
> send requests that won't be scanned like https or streaming content
> through the Viruswall "box" (you can run both on the same physical
> server).
>
> Bottom line is little or no complaints from users after they are educated
> about download delays. For basic browsing, there's generally no
> noticeable delay, where users become aware of it is when the "download" a
> large file. Viruswall will trickle just enough data to the browser to
> keep the connection alive while it downloads/scans the full file. The
> result is the user's progress dialog may have VERY large estimated time
> numbers while the Viruswall does it's thing, then the file comes down all
> at once.

We do the same, but experienced some bugs in the viruswall doing
the proxying part of its job:

* If ftp-server use strange permissions on the files/directories,
  the viruswall messes up the listing totally. Rarely some more
  difficulties with ftp-servers.

* Hangs sometimes on SSL/CONNECT (no problem if You bypass the
  viruswall for https like Jerry)

* on one machine we got hanging dns-lookup-children, filling up
  CPU/RAM over the time.

So we decided to do a sandwich-setup: trendmicro uses squid again
as parent (squid doing a "no_cache" and "always_direct" for requests
from the viruswall-IP [localhost for us]). The only problem we are
fighting with now is squid flooding cache.log with "forwarding loop
detected". Only workaround we found is disabling the cache_log.

Besides of that loop-detection, it works perfectly. Squid is
doing caching/user-auth/proxying/ftp-listing/dns-lookups and
viruswall is scanning http-traffic without doing anything else.

/nils.

-- 
nils toedtmann
technische abteilung
marcant internet-services gmbh <http://www.marcant.net>