how can a firewall box handle virus?

Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
tz180). Sounds attractive. But how does it work?

Let's say I'm downloading a pop3 email. Does the firewall stores the entire
email and attachment, scan it for virus, then forward it on if it's clean?
And if the attachment has a virus, can it strip out the attachment only and
forward the rest of the email? This sounds too good to be true. And wouldn't
this require a hard drive for the firewall?

Similar question for how it handles spyware, trojans, etc.

Re: how can a firewall box handle virus?

On Nov 13, 6:17 am, "peter" wrote:
> Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
> tz180). Sounds attractive. But how does it work?
>
> Let's say I'm downloading a pop3 email. Does the firewall stores the entire
> email and attachment, scan it for virus, then forward it on if it's clean?

No. It just inspects it while it is downloading just like any other
antivirus software does. They start at the beginning and end at the
end. You only need a small buffer for that.

But it also does not work miracles. It does not forward anything "if
it's clean". It only recognizes for what it has signatures. It won't
recognize the newest malware until the signatures have it. It won't
recognize very rare malware. It will also recognize things which are
not bad. It will also recognize malware which is actually not
dangerous on your computer because your computer is not vulnerable.

So basically, it may find a few things but it is still and always you
who has to decide what's clean or not.

Gerald

Re: how can a firewall box handle virus?

In article <1194908645.449043.110110@s15g2000prm.googlegroups.com>,
vogt@spamcop.net says...
> So basically, it may find a few things but it is still and always you
> who has to decide what's clean or not.

That's why yo use your own email server and then block attachments by
mime type - and then you block anything that could be malicious by file
type (mime type).

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

On Nov 13, 10:55 am, Leythos wrote:
> In article <1194908645.449043.110...@s15g2000prm.googlegroups.com>,
> v...@spamcop.net says...
>
> > So basically, it may find a few things but it is still and always you
> > who has to decide what's clean or not.
>
> That's why yo use your own email server and then block attachments by
> mime type - and then you block anything that could be malicious by file
> type (mime type).

So you are saying that viruses only come through e-mail? Or how is
this comment exactly related with the firewall box which scans the
network traffic for viruses?

Gerald

Re: how can a firewall box handle virus?

In article <1194921534.894182.9880@y27g2000pre.googlegroups.com>,
vogt@spamcop.net says...
> On Nov 13, 10:55 am, Leythos wrote:
> > In article <1194908645.449043.110...@s15g2000prm.googlegroups.com>,
> > v...@spamcop.net says...
> >
> > > So basically, it may find a few things but it is still and always you
> > > who has to decide what's clean or not.
> >
> > That's why yo use your own email server and then block attachments by
> > mime type - and then you block anything that could be malicious by file
> > type (mime type).
>
> So you are saying that viruses only come through e-mail? Or how is
> this comment exactly related with the firewall box which scans the
> network traffic for viruses?

I believed that the OP mentioned POP in his question, I addressed that
part. How could you miss that?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

Am Mon, 12 Nov 2007 21:17:33 +0000 schrieb peter:

> Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
> tz180). Sounds attractive. But how does it work?

Keep your hands away from sonicwall, it's really crap for too much money.

Re: how can a firewall box handle virus?

On Nov 13, 11:52 am, Leythos wrote:
> In article <1194921534.894182.9...@y27g2000pre.googlegroups.com>,
> v...@spamcop.net says...
>
> > On Nov 13, 10:55 am, Leythos wrote:
> > > In article <1194908645.449043.110...@s15g2000prm.googlegroups.com>,
> > > v...@spamcop.net says...
>
> > > > So basically, it may find a few things but it is still and always you
> > > > who has to decide what's clean or not.
>
> > > That's why yo use your own email server and then block attachments by
> > > mime type - and then you block anything that could be malicious by file
> > > type (mime type).
>
> > So you are saying that viruses only come through e-mail? Or how is
> > this comment exactly related with the firewall box which scans the
> > network traffic for viruses?
>
> I believed that the OP mentioned POP in his question, I addressed that
> part. How could you miss that?

The OP mentioned Trojan. Do we discuss Trojans now?

How did you miss that it is about a firewall box (see subject)? POP
was an example to illustrate that he does not know how the firewall
filters the network traffic for malware. Isn't the "Let's say..." in
the OP clear enough? Thus you are dragging this off-topic by
discussing email servers as that does not explain "how the firewall
box handles virus".

Gerald

Re: how can a firewall box handle virus?

Post removed (X-No-Archive: yes)

Re: how can a firewall box handle virus?

"Gerald Vogt" wrote in message
news:1194908645.449043.110110@s15g2000prm.googlegroups.com.. .
>
> No. It just inspects it while it is downloading just like any other
> antivirus software does. They start at the beginning and end at the
> end. You only need a small buffer for that.

If that is the case, the firewall may let half an email pass through, detect
a virus, and cut off the rest of the email?

I guessed I wasn't clear. What I want to know is, if one of the email I'm
downloading via pop3 has a virus and is detected by such firewall, what does
it do? Delete one ethernet frame? Delete the rest of the session? Delete
from the start of the signature till the end of the virus (assuming its
virus database has length info)?

What if the virus' signature pattern happens to cross an ethernet packet
boundary, would it still be detected? The firewall would have to be able to
remove low and higher level network headers in order to piece multiple
packets into one data stream to scan for virus. But if it is smart enough to
do this, why not store, scan, and forward attachment if no virus is found?

Similarly, if a spyware is detected by such firewall while I'm downloading
an activeX control, what does it do? Delete the data until the end of the
activeX control data stream (assuming it can tell where the activeX ends)?

Re: how can a firewall box handle virus?

In article <1194943388.102607.279770@v29g2000prd.googlegroups.com>,
vogt@spamcop.net says...
> On Nov 13, 11:52 am, Leythos wrote:
> > In article <1194921534.894182.9...@y27g2000pre.googlegroups.com>,
> > v...@spamcop.net says...
> >
> > > On Nov 13, 10:55 am, Leythos wrote:
> > > > In article <1194908645.449043.110...@s15g2000prm.googlegroups.com>,
> > > > v...@spamcop.net says...
> >
> > > > > So basically, it may find a few things but it is still and always you
> > > > > who has to decide what's clean or not.
> >
> > > > That's why yo use your own email server and then block attachments by
> > > > mime type - and then you block anything that could be malicious by file
> > > > type (mime type).
> >
> > > So you are saying that viruses only come through e-mail? Or how is
> > > this comment exactly related with the firewall box which scans the
> > > network traffic for viruses?
> >
> > I believed that the OP mentioned POP in his question, I addressed that
> > part. How could you miss that?
>
> The OP mentioned Trojan. Do we discuss Trojans now?
>
> How did you miss that it is about a firewall box (see subject)? POP
> was an example to illustrate that he does not know how the firewall
> filters the network traffic for malware. Isn't the "Let's say..." in
> the OP clear enough? Thus you are dragging this off-topic by
> discussing email servers as that does not explain "how the firewall
> box handles virus".

Gerald - don't request Follow-Up by email, this is Usenet and that's
where the thread should stay.

I don't know what your problem is, but the op mentioned POP and that's
the part I replied to, specifically, get over yourself. My explanation
discussed how a firewall can be used to remove malware from email, which
was something the OP should be aware of as part of an overall
email/malware discussion.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

In article ,
juergen.nieveler.nospam@arcor.de says...
> Leythos wrote:
>
> > That's why yo use your own email server and then block attachments by
> > mime type - and then you block anything that could be malicious by file
> > type (mime type).
>
> While this sorts out 99% of the crap, there's enough worms out there
> that send themselves as ZIP (encrypted, even...).
>
> Virus scanners on mailservers usually try to unpack the archive files
> and remove those files from the content that still look dangerous. But
> even that is growing more and more difficult - the latest bugs in
> Acrobat mean that every PDF could be a problem :-(

Yep, we actually block Zip files except from a specific user account
that only admins can reach. In addition to blocking at the firewall
based on mime type we also use SMTP aware scanners that scan before the
email/attachment reaches the mail server itself. Nothing is perfect,
but we've never had a compromised client in more than 20 years.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

Juergen Nieveler wrote:
> But
> even that is growing more and more difficult - the latest bugs in
> Acrobat mean that every PDF could be a problem :-(
>

yeah I have been seeing these spammails with pdf atachments,what's the bug/exploit ?

any hints appreciated

M

Re: how can a firewall box handle virus?

Leythos wrote:
> Gerald - don't request Follow-Up by email, this is Usenet and that's
> where the thread should stay.

The thread is off-topic because it has nothing to do with what the OP
asked. That's why it is fup poster.

> I don't know what your problem is, but the op mentioned POP and that's
> the part I replied to, specifically, get over yourself. My explanation
> discussed how a firewall can be used to remove malware from email, which

?? Where exactly is the firewall in your explanation:

"That's why yo use your own email server and then block attachments by
mime type - and then you block anything that could be malicious by file
type (mime type)."

I don't think that "email server" is generally considered the same as
"firewall".

> was something the OP should be aware of as part of an overall
> email/malware discussion.

It still won't help to understand how the firewall box scans for viruses.

Unless you have anything to say which is relevant to the original
question how a firewall box filters for viruses, this is off-topic, fup
poster, and EOD.

Gerald

Re: how can a firewall box handle virus?

mak wrote:
> Juergen Nieveler wrote:
>> But even that is growing more and more difficult - the latest bugs in
>> Acrobat mean that every PDF could be a problem :-(
>
> yeah I have been seeing these spammails with pdf atachments,

FTR: those usually don't contain exploits but use PDF merely to evade
keyword or pattern detection of spam filters. However, since there have
been exploitable vulnerabilities in various PDF readers, PDF can't be
considered a "safe" attachment. In fact there are no inherently "safe"
attachments.

If the program handling the attached file has an exploitable bug, then
an exploit contained in the attached file may lead to compromisation of
your system once you open the attachment. Meaning that for every type of
attachment there's a nonzero chance that it may contain malware at some
point.

> what's the bug/exploit ?

google://acrobat+vuln

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: how can a firewall box handle virus?

In article <4739b7d2$0$337$44c9b20d@news3.asahi-net.or.jp>,
vogt@spamcop.net says...
> Leythos wrote:
> > Gerald - don't request Follow-Up by email, this is Usenet and that's
> > where the thread should stay.
>
> The thread is off-topic because it has nothing to do with what the OP
> asked. That's why it is fup poster.

And since you don't own or moderate the group, it's not your place to
declare something off-topic, and when you don't understand something,
and when you can't comprehend, it doesn't make it OT.

> > I don't know what your problem is, but the op mentioned POP and that's
> > the part I replied to, specifically, get over yourself. My explanation
> > discussed how a firewall can be used to remove malware from email, which
>
> ?? Where exactly is the firewall in your explanation:

Read it again, asince this was a firewall discussion, it would make
sense that a firewall might protect an email server. Yea, I didn't spell
it out, but then I didn't expect to have some asshole jump into it and
try to moderate the thread.

> "That's why yo use your own email server and then block attachments by
> mime type - and then you block anything that could be malicious by file
> type (mime type)."
>
> I don't think that "email server" is generally considered the same as
> "firewall".

That would be the first thing you've got right today.

> > was something the OP should be aware of as part of an overall
> > email/malware discussion.
>
> It still won't help to understand how the firewall box scans for viruses.
>
> Unless you have anything to say which is relevant to the original
> question how a firewall box filters for viruses, this is off-topic, fup
> poster, and EOD.

INTERNET >> FW >> NETWORK >> EMAIL SERVER & Workstations

So, by implementing a firewall with SMTP Proxy service you can remove
attachment types (based on mime types) and eliminate most of the
threats, and since most people would also have SMTP aware AV software,
the PDF's and Zip files would also be checked as definitions become
available.

So, get off your high-horse, quit acting like an asshole, and realize
that there are a lot of people that know a lot more than you.


--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

Hallo Burkhard Ott, Du teiltest mit:
> Am Mon, 12 Nov 2007 21:17:33 +0000 schrieb peter:
>
> > Some new firewall boxes advertised DPI and virus protection (e.g. sonicwall
> > tz180).
>
> Keep your hands away from sonicwall, it's really crap for too much money.

-v please. These mechanisms, mentioned above (advertised DPI and virus
protection) or at all?

ThX
wolfgang

Re: how can a firewall box handle virus?

Leythos wrote:
> In article <4739b7d2$0$337$44c9b20d@news3.asahi-net.or.jp>,
> vogt@spamcop.net says...
>> Leythos wrote:
>>> Gerald - don't request Follow-Up by email, this is Usenet and that's
>>> where the thread should stay.
>> The thread is off-topic because it has nothing to do with what the OP
>> asked. That's why it is fup poster.
>
> And since you don't own or moderate the group, it's not your place to
> declare something off-topic, and when you don't understand something,
> and when you can't comprehend, it doesn't make it OT.

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

>>> I don't know what your problem is, but the op mentioned POP and that's
>>> the part I replied to, specifically, get over yourself. My explanation
>>> discussed how a firewall can be used to remove malware from email, which
>> ?? Where exactly is the firewall in your explanation:
>
> Read it again, asince this was a firewall discussion, it would make
> sense that a firewall might protect an email server. Yea, I didn't spell
> it out, but then I didn't expect to have some asshole jump into it and
> try to moderate the thread.

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

>> "That's why yo use your own email server and then block attachments by
>> mime type - and then you block anything that could be malicious by file
>> type (mime type)."
>>
>> I don't think that "email server" is generally considered the same as
>> "firewall".
>
> That would be the first thing you've got right today.

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

>>> was something the OP should be aware of as part of an overall
>>> email/malware discussion.
>> It still won't help to understand how the firewall box scans for viruses.
>>
>> Unless you have anything to say which is relevant to the original
>> question how a firewall box filters for viruses, this is off-topic, fup
>> poster, and EOD.
>
> INTERNET >> FW >> NETWORK >> EMAIL SERVER & Workstations
>
> So, by implementing a firewall with SMTP Proxy service you can remove
> attachment types (based on mime types) and eliminate most of the
> threats, and since most people would also have SMTP aware AV software,
> the PDF's and Zip files would also be checked as definitions become
> available.

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

> So, get off your high-horse, quit acting like an asshole, and realize
> that there are a lot of people that know a lot more than you.

This paragraph has nothing to do with the question in the OP:

"Some new firewall boxes advertised DPI and virus protection (e.g.
sonicwall tz180). Sounds attractive. But how does it work?"

I don't know your definition of 'off-topic'. But can you be any more
off-topic from the OP? Anything you write about is what you brought
up but which is unrelated to the OP. Why do you think a generic
firewall discussion about something is applicable only because the
subject contains "firewall" or the group has "firewall" in the name?

But all you write has nothing to do with the question of the OP. Even
your strange requirement that you should use your email server to
firewall is odd, because you can still use the same firewall to filter
the traffic from any external email server to your computer via POP or
IMAP.

Thus, maybe you could write something on-topic and explain how the
firewall does it exactly? "How can a firewall box handle virus?"
Setting
up your own e-mail server has nothing to do with that nor is a
requirement to make some use of a virus filtering firewall box...

Gerald

Re: how can a firewall box handle virus?

In article <1195013707.989281.127620@i38g2000prf.googlegroups.com>,
vogt@spamcop.net says...
> Leythos wrote:
> > In article <4739b7d2$0$337$44c9b20d@news3.asahi-net.or.jp>,
> > vogt@spamcop.net says...
> >> Leythos wrote:
> >>> Gerald - don't request Follow-Up by email, this is Usenet and that's
> >>> where the thread should stay.
> >> The thread is off-topic because it has nothing to do with what the OP
> >> asked. That's why it is fup poster.
> >
> > And since you don't own or moderate the group, it's not your place to
> > declare something off-topic, and when you don't understand something,
> > and when you can't comprehend, it doesn't make it OT.
>
> This paragraph has nothing to do with the question in the OP:
>
> "Some new firewall boxes advertised DPI and virus protection (e.g.
> sonicwall tz180). Sounds attractive. But how does it work?"

Nice selective snipping on your trolling part.

Now, maybe if you had been just a little smarter you might have been
able to read the rest of his post and see this part:

"
Let's say I'm downloading a pop3 email. Does the firewall stores the
entire email and attachment, scan it for virus, then forward it on if
it's clean?
"

Notice the OP asking about POP3 now?

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

Leythos wrote:
In article <1195013707.989281.127620@i38g2000prf.googlegroups.com>,
> vogt@spamcop.net says...
>> Leythos wrote:
>>> In article <4739b7d2$0$337$44c9b20d@news3.asahi-net.or.jp>,
>>> vogt@spamcop.net says...
>>>> Leythos wrote:
>>>>> Gerald - don't request Follow-Up by email, this is Usenet and that's
>>>>> where the thread should stay.
>>>> The thread is off-topic because it has nothing to do with what the OP
>>>> asked. That's why it is fup poster.
>>> And since you don't own or moderate the group, it's not your place to
>>> declare something off-topic, and when you don't understand something,
>>> and when you can't comprehend, it doesn't make it OT.
>> This paragraph has nothing to do with the question in the OP:
>>
>> "Some new firewall boxes advertised DPI and virus protection (e.g.
>> sonicwall tz180). Sounds attractive. But how does it work?"
>
> Nice selective snipping on your trolling part.
>
> Now, maybe if you had been just a little smarter you might have been
> able to read the rest of his post and see this part:
>
> "
> Let's say I'm downloading a pop3 email. Does the firewall stores the
> entire email and attachment, scan it for virus, then forward it on if
> it's clean?
> "
>
> Notice the OP asking about POP3 now?

Notice the "Let's say" which clearly indicates that this is an example
to explain which kind of problem the OP has. POP3 is only one example.
The question covers all protocols. POP3 was just picked as example. All
you wrote won't explain how the firewall will scan HTTP, FTP, or IM
traffic for malware, or may filter Java applets, etc.

The question is broader then the example. It is useless to poke on the
e-mail server as it does not cover HTTP, FTP, IM or any other network
protocol which may be scanned for malware.

And everything you wrote still does not explain how the firewall works
in regard to the question related to the e-mail scanning: "Does the
firewall stores the entire email and attachment, scan it for virus, then
forward it on if it's clean?"

But you don't answer this question either. You don't explain how the
firewall would scan e-mails for malware. Filtering certain mime types is
obviously something different than scanning for viruses. Your comment
could be simply extended to "block all e-mail traffic". This way the
firewall would also effectively stop all incoming malware through
e-mails. But still, the firewall would not scan the e-mails for malware.
It would just filter a port...

So, why don't you simply answer the question how the firewall works? You
know the example but even there you don't explain how it works. How does
a virus scanner on a network firewall work? How does it scan network
traffic like smtp, imap, pop3, http, ftp, any IM protocol, etc. for
malware? To repeat rephrase the example in the OP: "Let's say I'm
downloading a 100MB file via ftp. Does the firewall store the entire
download, scan it for virus, then forward it on if it's clean?"

But I guess it is futile to ask for answers from you. You would only
poke around some details in the FTP protocol and would say that you
would filter certain file extensions from downloading... Still does not
explain the question but you have you buzzword "FTP" thus it is time for
you to elaborate on FTP...

Gerald

P.S.: still off-topic thus fup poster.

Re: how can a firewall box handle virus?

In article <473addc5$0$337$44c9b20d@news3.asahi-net.or.jp>,
vogt@spamcop.net says...
> Leythos wrote:
> In article <1195013707.989281.127620@i38g2000prf.googlegroups.com>,
> > vogt@spamcop.net says...
> >> Leythos wrote:
> >>> In article <4739b7d2$0$337$44c9b20d@news3.asahi-net.or.jp>,
> >>> vogt@spamcop.net says...
> >>>> Leythos wrote:
> >>>>> Gerald - don't request Follow-Up by email, this is Usenet and that's
> >>>>> where the thread should stay.
> >>>> The thread is off-topic because it has nothing to do with what the OP
> >>>> asked. That's why it is fup poster.
> >>> And since you don't own or moderate the group, it's not your place to
> >>> declare something off-topic, and when you don't understand something,
> >>> and when you can't comprehend, it doesn't make it OT.
> >> This paragraph has nothing to do with the question in the OP:
> >>
> >> "Some new firewall boxes advertised DPI and virus protection (e.g.
> >> sonicwall tz180). Sounds attractive. But how does it work?"
> >
> > Nice selective snipping on your trolling part.
> >
> > Now, maybe if you had been just a little smarter you might have been
> > able to read the rest of his post and see this part:
> >
> > "
> > Let's say I'm downloading a pop3 email. Does the firewall stores the
> > entire email and attachment, scan it for virus, then forward it on if
> > it's clean?
> > "
> >
> > Notice the OP asking about POP3 now?
>
> Notice the "Let's say" which clearly indicates that this is an example
> to explain which kind of problem the OP has. POP3 is only one example.
> The question covers all protocols. POP3 was just picked as example. All
> you wrote won't explain how the firewall will scan HTTP, FTP, or IM
> traffic for malware, or may filter Java applets, etc.

I addressed the example he posted - get over your pompous self.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

On Nov 14, 8:42 pm, Leythos wrote:
> > Notice the "Let's say" which clearly indicates that this is an example
> > to explain which kind of problem the OP has. POP3 is only one example.
> > The question covers all protocols. POP3 was just picked as example. All
> > you wrote won't explain how the firewall will scan HTTP, FTP, or IM
> > traffic for malware, or may filter Java applets, etc.
>
> I addressed the example he posted - get over your pompous self.

Why don't you simply answer the questions?

The "example" he posted was:

"Let's say I'm downloading a pop3 email. Does the firewall stores the
entire
email and attachment, scan it for virus, then forward it on if it's
clean?
And if the attachment has a virus, can it strip out the attachment
only and
forward the rest of the email? This sounds too good to be true. And
wouldn't
this require a hard drive for the firewall? "

You did nowhere address these questions.

So far, you were not really on topic to the questions asked.

This is still off-topic, thus fup poster. You'll probably keep poking
about other things and post them instead but I guess that won't need
any further comments. It is kind of ridiculous how to try to avoid to
answer some questions clearly asked which would be definitively on-
topic. EOD.

Gerald

Re: how can a firewall box handle virus?

In article <1195044140.235352.135080@s15g2000prm.googlegroups.com>,
vogt@spamcop.net says...
> It is kind of ridiculous how to try

No, what's ridiculous is how you think that you control the group and
have any right to determine what is/is not OT. A question was asked, a
example was posted by the Op, I addressed that example as part of his
question. You don't like the answer, TFB. Your complaining about my post
is completely OT (based on your criteria) and does not provide any
information to the OP about his question. Keep trolling.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

On Nov 14, 9:49 pm, Leythos wrote:
> In article <1195044140.235352.135...@s15g2000prm.googlegroups.com>,
> v...@spamcop.net says...
>
> > It is kind of ridiculous how to try
>
> No, what's ridiculous is how you think that you control the group and
> have any right to determine what is/is not OT. A question was asked, a

So you are saying that a firewall like the sonicwall which scans for
viruses does this by filtering out e-mail attachments by mime type?
That's basically your contribution to this thread. And this also
requires that you run your own e-mail server because a firewall is not
able to filter the traffic between the server and the client? And that
explains how it works and answers the questions in the OP?

Well, go figure, you are wrong. It scans network traffic like any
other virus scanner and it does not answer the questions even for the
pop3 example part in the OP.

But well, you wrote, "I believed that the OP mentioned POP in his
question, I addressed that
part." You did not address the question which was about the example
using POP but only addressed the word "POP". Sorry. How ignorant from
me not to see that if someone writes "POP" obviously any topic on
"POP" is on topic even if it does not answer any of the questions
asked. Maybe we should start to discuss pops songs of the 80s. I would
still address the "POP" part...

Gerald

Re: how can a firewall box handle virus?

In article <1195047351.278788.131920@t8g2000prg.googlegroups.com>,
vogt@spamcop.net says...
> So you are saying

My statement was clear and not OT. You continue to troll and believe
that you can moderate the group - you can't.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

On Nov 14, 11:03 pm, Leythos wrote:
> In article <1195047351.278788.131...@t8g2000prg.googlegroups.com>,
> v...@spamcop.net says...
>
> > So you are saying
>
> My statement was clear and not OT. You continue to troll and believe
> that you can moderate the group - you can't.

Just explain how the firewall works (which was the question in the
OP)! How it scans for viruses! Once you have explained that shouldn't
it become clear how your statement "That's why yo use your own email
server and then block attachments by mime type - and then you block
anything that could be malicious by file type (mime type). " is
applicable and relevant to those questions and thus to this thread?

Gerald

Re: how can a firewall box handle virus?

In article <1195050674.144272.198730@q5g2000prf.googlegroups.com>,
vogt@spamcop.net says...
> On Nov 14, 11:03 pm, Leythos wrote:
> > In article <1195047351.278788.131...@t8g2000prg.googlegroups.com>,
> > v...@spamcop.net says...
> >
> > > So you are saying
> >
> > My statement was clear and not OT. You continue to troll and believe
> > that you can moderate the group - you can't.
>
> Just explain how the firewall works (which was the question in the
> OP)! How it scans for viruses! Once you have explained that shouldn't
> it become clear how your statement "That's why yo use your own email
> server and then block attachments by mime type - and then you block
> anything that could be malicious by file type (mime type). " is
> applicable and relevant to those questions and thus to this thread?

Based on your rude attitude and your playing a troll, I'm not answering
anything for you. If you can't understand, well, sorry for you.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

On Nov 14, 11:03 pm, Leythos wrote:
> In article <1195047351.278788.131...@t8g2000prg.googlegroups.com>,
> v...@spamcop.net says...
>
> > So you are saying
>
> My statement was clear and not OT. You continue to troll and believe
> that you can moderate the group - you can't.

Why do you bother so much thinking about what I might think or
believe?

Or statement clear. Your statement was "That's why yo use your own
email server and then block attachments by mime type - and then you
block anything that could be malicious by file
type (mime type).".

That statement does nowhere explain how a firewall works which scans
for malware (which was the OP question). It does not explain how it
scans and filters malware even if it is only for e-mails. You may
configure the firewall to certain block mime types. But that has
nothing to do with the recognition of malware in network traffic. And
it does still not answer how the firewall does the virus scanning.

Strange enough, you refuse again and again to answer those questions
in the OP. Wouldn't it be easier to simply answer them clearly?
Shouldn't the relevance of your single statement which you have made
so far become clear then if you think that that statement was so fully
and completely on-topic and absolutely relevant to the questions asked
in the OP?

But obviously, you won't answer them because it would take a lot of
tweaking to make it fit. Or should I even believe you don't know how
it works and you are not able to answer the questions?

Gerald

Re: how can a firewall box handle virus?

peter wrote:

>
> If that is the case, the firewall may let half an email pass through, detect
> a virus, and cut off the rest of the email?
>
> I guessed I wasn't clear. What I want to know is, if one of the email I'm
> downloading via pop3 has a virus and is detected by such firewall, what does
> it do? Delete one ethernet frame? Delete the rest of the session? Delete
> from the start of the signature till the end of the virus (assuming its
> virus database has length info)?
>
> What if the virus' signature pattern happens to cross an ethernet packet
> boundary, would it still be detected? The firewall would have to be able to
> remove low and higher level network headers in order to piece multiple
> packets into one data stream to scan for virus. But if it is smart enough to
> do this, why not store, scan, and forward attachment if no virus is found?
>
> Similarly, if a spyware is detected by such firewall while I'm downloading
> an activeX control, what does it do? Delete the data until the end of the
> activeX control data stream (assuming it can tell where the activeX ends)?

i can't believe these guys keep going at it, meanwhile nobody answers *this* questions

M

Re: how can a firewall box handle virus?

In article <1195053591.487084@nntpcache01.si.eunet.at>, mak@nospam.com
says...
> i can't believe these guys keep going at it, meanwhile nobody answers *this* questions

And I wonder why the OP or you have not contacted ANY of the firewall
vendors that offer UTM and asked them how their products work.

Every single firewall vendor has a sales department and they can direct
you to a technical source in their chain that will answer questions that
the sales people can't answer - and it will be specific to their
product.

Some vendors manage those functions differently than others - you don't
know how the product you want to use does it unless you ask the specific
vendor.

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Re: how can a firewall box handle virus?

peter wrote:
> "Gerald Vogt" wrote:
>> No. It just inspects it while it is downloading just like any other
>> antivirus software does. They start at the beginning and end at the
>> end. You only need a small buffer for that.
>
> If that is the case, the firewall may let half an email pass through,
> detect a virus, and cut off the rest of the email?
>
> I guessed I wasn't clear. What I want to know is, if one of the email
> I'm downloading via pop3 has a virus and is detected by such firewall,
> what does it do? Delete one ethernet frame? Delete the rest of the
> session? Delete from the start of the signature till the end of the
> virus (assuming its virus database has length info)?
>
> What if the virus' signature pattern happens to cross an ethernet
> packet boundary, would it still be detected?

Well, hopefully the firewall doesn't scan on layer 2, but layer 3 and
above. Because layer 2 doesn't know anything about POP3, or sessions, or
streams. Like, at all.

> The firewall would have to be able to remove low and higher level
> network headers in order to piece multiple packets into one data
> stream to scan for virus. But if it is smart enough to do this, why
> not store, scan, and forward attachment if no virus is found?
>
> Similarly, if a spyware is detected by such firewall while I'm
> downloading an activeX control, what does it do? Delete the data until
> the end of the activeX control data stream (assuming it can tell where
> the activeX ends)?

It all depends on how the firewall actually works. Does it inspect
packets on layer 2? Layer 3? Layer 4+? Does it reassemble packets to
reconstruct data streams? Does it proxy connections?

Normally I would assume that the firewall will proxy the connection, so
that the mail (in case of POP3) or web page (in case of HTTP) is
downloaded by the firewall, scanned and then either discarded or
forwarded to the user originally requesting the mail/web page.

However, like I already said, it all depends on what the firewall
actually does, i.e. how it was implemented by the manufacturer.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich