Stop Virus Downloads with GFI’s DownloadSecurity
By Thomas W Shinder M.D.
One of the most common ways internal network users use to bring viruses, worms and Trojans into your network is via HTTP and FTP downloads. In addition to viruses and other malicious code, users download applications like Kazaa, Morpheus, instant messengers and other dangerous applications that can be used to import toxic code into the internal network and clog the corporate Internet connections.
ISA Server doesn’t include a virus checking engine, and while ISA Server does support Content checking using Site and Content Rules, the download attempt is simply aborted; security administrators don’t have a chance to review how users violate network security policy by analyzing their downloads. This can also be a problem if you want to allow users to download files, but want them inspected first before allowing the user access to the files. If you want virus checking and file inspection, then you’ll need a third party application to help you out.
This is where GFI Software’s DownloadSecurity comes in. DownloadSecurity inspects all files downloaded via HTTP and HTTP tunneled FTP. Do you want to prevent users from downloading virus infected files from Web sites? Do you want to control what file types are downloaded from the Web onto your network? Then DownloadSecurity may be just what the doctor ordered.
Content Download Control
Content control is crucial on all networks. Users continue to download dangerous applications in spite of strong network usage policies,. Users can also be misled by email messages that tell them to "click here" to see the latest picture of actress
DownloadSecurity prevents problems with malicious code downloads by allowing you to easily block file types of your choosing. You can configure DownloadSecurity to block all downloads, block a list of file types, or block all file types except for a list of file types. You can see a sample of some of the file types included right out of the box in the figure below.
Now you might be saying to yourself "sure, that’s nice, but I can do the same thing with ISA Server’s built in Site and Content Rules". Yes, you can block selected content with ISA Server’s Site and Content rules, but that’s it. If you block it, you block it and that’s it. There aren’t any other options.
DownloadSecurity gives you many more choices on how to deal with file download attempts. You can choose to block the download and quarantine it. When the downloaded file is in quarantine, it can be reviewed at a later time by a security administrator. Or you might want to move the file to a folder and check it out when you get a chance – that way you immediately block the download but give yourself a chance to see what crud the users are trying to download.
Another thing ISA Server Site and Content Rules can’t do is notify the user that they’ve violated the network usage policy. DownloadSecurity informs your users that they’ve violated security policy by sending the user an email message. DownloadSecurity can do this, and it can also send an email message to the user’s Manager. This is very helpful when it comes time to reprimand users for network abuse and for tracking users who may be working actively to subvert network security policies.
You can also create multiple download checking rules to give you more granular control. For example, suppose you want to inspect all file downloads except those for certain executives and administrators? This is very easy to with DownloadSecurity. Just configure a download checking rule that applies to everyone except your selected users and groups. You can even create a second or third download checking rule for this other users. It’s quite easy and works flawlessly.
Virus Download Control
Maybe you run a more free-wheeling network environment. You don’t care if users download files, but you don’t want them downloading virus infected files. DownloadSecurity allows you examine downloaded files for viruses without requiring that you block downloaded files. It’s up to you. We prefer to quarantine all file downloads and also examine all downloaded files for viruses. This provides the highest level of security.
DownloadSecurity points two different virus engines against downloaded files. If one virus engine doesn’t detect the virus, there’s a good chance that the other will. You also have the option to scan Word files for macros. It’s a well-known fact that Word macros viruses can run havoc on a network, so blocking them is generally a good thing.
One problem a lot of ISA Server administrators have with applications that run on the ISA Server itself is configuring the server correctly to support virus definition downloads. It was a virtual no-brainer to configure DownloadSecurity to download virus definition updates. You have the option to use Active or PASV modes, and you can even confirm that the downloads work by clicking on the Test FTP access button.
Approve Downloads after Reviewing
DownloadSecurity includes a Moderator client application that allows you to view the files that you configured to be quarantined. Downloaded files stay in quarantine until you decide how to deal with them. You have the options to Delete, Delete and Notify and Approve. Full details about the user performing the download, when the download took place, and the downloaded files appears. In the figure below is an example of what you would see if you downloaded the EICAR test file.
I’ve been using MailSecurity at a number of sites. The first thing that struck me about this application is how simple it is to install and configure. The basic choices are to control all downloads or just some downloads, and whether you want to check all files for viruses. We always choose to have DownloadSecurity check all the default file types and to quarantine them and to check all files for viruses.
DownloadSecurity can process about 60 files at the same time. I’ve noticed processor utilization tends to peg when processing more than a few files at the same time, but this doesn’t seem to have an adverse effect on ISA Server services and internal network clients are able to access the Internet without problems even during heavy file download periods.
One thing you need to be aware of is that DownloadSecurity is implemented as a Web filter. This means your clients must be configured as Web Proxy clients in order for file inspection to work. Not only must the clients be configured as Web Proxy clients, but you must force the Web Proxy client configuration. This means you either have to avoid configuring the clients as Firewall and SecureNAT clients, or take advantage of the HTTP Redirector filter to drop all HTTP requests from Firewall and SecureNAT clients. The only problem with using the HTTP Redirector method is that it won’t control FTP downloads. If you want to control FTP downloads you must configure the clients as Web Proxy clients only or disable the FTP Access Application filter.
When you test the DownloadSecurity you might notice clients won’t be able to use the Norton Antivirus LiveUpdate. You’ll see the LiveUpdate feature report that the download package was corrupted. At first I thought this was a bug in the DownloadSecurity application.
The fact is that it wasn’t a bug, it was just DownloadSecurity doing its job. You can get around these kinds of problems by configuring DownloadSecurity to not examine files downloaded from particular sites. In order to allow LiveUpdate to work, you have to allow symantecliveupdate.com free reign. All you need to do is add the site to the list of URLs not to scan in the Web filter’s Properties dialog box (as seen below).
I found DownloadSecurity easy to setup and configure, and it does exactly what it says it does. It’s quite an experience to review the downloads in the Moderator client each day and see how many viruses and Scumware applications (like instant messengers and file sharing programs) have been blocked. It brings to light how futile desktop application auditing is without having a mechanism in place to prevent forbidden applications from "growing back" on user desktops.
We use DownloadSecurity on our own ISA Server and I wouldn’t be without it. I wholeheartedly recommend DownloadSecurity and give this application 5 ISAServer.org stars.
A full, 60-day working version of GFI DownloadSecurity can be downloaded here.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=12;t=000172 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom