Untangle Virus Blocking

Untangle Virus Blocking Overview:

Virus Blocker, based on ClamAV, is an excellent open source & free virus blocker included in Untangle. Kaspersky is the best-of-breed commercial add-on for organizations requiring the highest levels of network protection.

Why Two Virus Blockers?

Two virus blockers provide an extra layer of security for businesses with a history of virus problems. Virus Blocker and Kaspersky Virus Blocker leverage distinct scanning engines, signature databases and research teams. This provides a second set of eyes to look at every email message, website, download and file transfer, which can be critical during the early stages of a virus outbreak. Kaspersky Virus Blocker is proprietary software and is not available under the GNU General Public License.

Key Features:

• ClamAV is Open source & Free under the GNU General Public License (GPL)
   
• Kaspersky is the best-of-breed anti-virus solution, starting at $10 per month
   
• Unlike desktop solutions, Untangle sits at the network gateway and automatically updates signatures so you don’t have to worry about whether or not your users have disabled their client software in anyway
   
• Protection on the most common email protocols SMTP, IMAP, and POP
   
• Protection for webmail and file transfer via HTTP and FTP protocols
   
• Reports and event logs show you what viruses are being blocked on the network

 

Technical Specifications:

Virus Blocker and Kaspersky Virus Blocker protect your network against viruses. Viruses infect networks in many different ways, so our Virus Blocking applications scan numerous protocols for viral signatures including:

• Email: SMTP, POP, IMAP
• Web: HTTP
• File Transfer: FTP

Virus Blocker is based on an open source virus scanner, ClamAV, while Kaspersky Virus Blocker leverages Kaspersky . Both Applications:

• Detect viruses, worms, and trojan horses
• Scan within archives and compressed files: Zip, RAR, Tar, Gzip, Bzip2, MS OLE2, MS Cabinet Files, MS CHM, and MS SZDD
• Protect against archive bombs, files that are repeatedly compressed. Such files cause other virus scanners or programs to crash or hang by consuming all CPU resources. Intensive resource consumption can occur when other virus scanners scan numerous levels of files within files; however, Untangle Virus Blocker products thwart this technique

What It Does

Transparently scans HTTP, FTP, SMTP, POP and IMAP traffic for viral signatures

How It Does It

Virus Blocker and Kaspersky Virus Blocker use on-the-fly decompression of archive files for scanning and can scan arbitrarily large files

Controls

• Can be configured to scan incoming and/or outgoing by traffic type
   
• In addition,
  • HTTP: configurable scanning by file extension or MIME type
  • SMTP: action on detection can be set to remove infection, block or pass message, with or without sender and/or receiver notification
  • POP and IMAP: action on detection can be set to remove infection or pass message (the nature of POP and IMAP protocols prevents messages from being blocked, but they can be scanned and cleansed)
  • FTP and HTTP: “download resume” can be disabled
     
• Scan trickle rate can be configured to support very large files

Virus Blocker FAQs:

How do Untangle Server's Virus Blockers compare to "brand-name" virus blockers?

According to an independent evaluation, Virus Blocker "beats the pants off its commercial competition".

If I use the Untangle Server, do I need to install virus software on individual network computers?

If you have Untangle's Virus Blockers running on the Untangle Server, the Untangle Server scans all inbound and outbound email traffic that goes through the Untangle Server. This protection is your first layer of protection. Imagine this scenario:
 

Angela is a Resume Writer at Angelic Resumes, Inc. One day she works from a remote location, and downloads an infected file from the Internet to her personal laptop, then to her USB drive. She returns to the office the next day, and, using the USB drive, saves the infected file directly to her desktop computer. Her desktop computer is now infected with a virus. To make matters worse, she emails that file to her coworkers. Her coworkers download the file, and now their desktops are also infected.

In this scenario the file was transfered without going through the Untangle Server. If Angela had emailed the file to her coworkers work email accounts from her personal email account, that email would have passed through the Untangle Server, and the Untangle Server would have prevented the virus from entering your protected network.

You cannot fully ensure that all traffic enters and exits your Untangle Server, Untangle recommends an additional layer of protection. Consider installing anti-virus software on all network desktops and laptops.

For Email, why is blocking (or quarantining) of emails when a virus is detected not always an option?

Only the SMTP protocol allows the Untangle Server to block email messages. The details of the POP and IMAP protocols do not allow the Untangle Server to block or quarantine email messages.

When configuring my Untangle Server to mark virus emails received over IMAP, the subject of the mails changes to [VIRUS]... only after I click on the message. Why?

Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server and the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list when the Untangle Server marks the message

What happens to virus hoaxes?

Spam Blocker, not Virus Blocker or Kaspersky Virus Blocker, blocks virus hoaxes because this type of email is spam, and does not carry an actual virus.

If I have dual virus scanners installed, are one or both used and in which order?

If you have only one of Untangle's virus scanning services installed then only that scanner will be applied, according to the settings you have established, assuming the Rack element is powered up. If you have dual virus scanners installed then the "for fee" service is applied to a message first: if a message passes the "for fee" scanner then and only then the open source scanner is applied to the message (there's no point in scanning the message twice if the first scanner has rejected it.) This is not to say one scanner is inherently better than the another: we point this out in the event you are evaluating the two scanners against one another to determine which or both best fits your needs. In this case, note that the "for fee" scanner is complemented by the open source scanner and in the case of a virus-free message, the computational overhead of the virus scan includes both scanners; where as a message that would be rejected by both scanners incurs the computational and time cost of just the "for fee" scanner. So, to perform a valid comparison, you should run test messages through the Untangle Gateway with no scanners installed, the "for fee" scanner by itself, the open source scanner by itself and lastly both scanners installed together and compare the results.

Hardware Requirements:
 

Hardware Requirements

• The Untangle Server requires a dedicated PC installed at the gateway to your network.
• Your hardware does not need an operating system - the Untangle Server installs its own operating system.
• The Untangle Server software completely erases any content or data that may exist on your PC hard drive.

Sizing Guidance

Recommended Configurations (New Hardware)

When purchasing new hardware, spending a couple of extra dollars to meet the following recommended configurations provides the best value.

Verified Configurations (Trials, Refurbished or Repurposed Hardware)

These are the lowest verified hardware configurations that provide reliable — albeit sometimes slower — performance in production. However, it may be possible for organizations with lower than average network traffic or organizations that do not wish to use all of the modules to run Untangle on smaller systems.

Untangle Pre-Installed Servers