Stopping malware at the gateway: challenges and solutions

Martin Stecher Secure Computing

  download slides (PDF)

Anti-malware scanning at a gateway has different requirements than anti-malware scanning at a client or server.

Some aspects become simpler (e.g. no on-access scanning, false positives are less dramatic) while new challenges are introduced (e.g. latency, chunk-by-chunk scanning, streaming, more important scanning of archives and office document formats). The default behaviour for some corner cases should be different (what to do if an archive is nested too often or the archive is encrypted). Common pitfalls should be avoided when moving an engine from the client to the gateway such as bypassing certain filetypes by name or media type.

The deployment at the gateway also offers the chance to combine more prevention techniques with classic anti-malware; by watermarking form data for example, legitimate posting of data can be distinguished from data that spyware wants to send to its server.

Which protocols should be handled by a gateway? Is SSL scanning possible and needed? Can callout protocols such as ICAP or OCP help to write an application agnostic scanner that works in all environments? How would tests such as the VB100 need to change so that gateway anti-malware products can participate?


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.