Martin Stecher Secure Computing
download slides (PDF)
Anti-malware scanning at a gateway has different requirements than anti-malware scanning at a client or server.
Some aspects become simpler (e.g. no on-access scanning, false positives are less dramatic) while new challenges are introduced (e.g. latency, chunk-by-chunk scanning, streaming, more important scanning of archives and office document formats). The default behaviour for some corner cases should be different (what to do if an archive is nested too often or the archive is encrypted). Common pitfalls should be avoided when moving an engine from the client to the gateway such as bypassing certain filetypes by name or media type.
The deployment at the gateway also offers the chance to combine more prevention techniques with classic anti-malware; by watermarking form data for example, legitimate posting of data can be distinguished from data that spyware wants to send to its server.
Which protocols should be handled by a gateway? Is SSL scanning possible and needed? Can callout protocols such as ICAP or OCP help to write an application agnostic scanner that works in all environments? How would tests such as the VB100 need to change so that gateway anti-malware products can participate?