ESET GATEWAY SECURITY, Руководство по установке

Страница: 19 / 38

19
5.3. Large HTTP Objects Handling
Under the normal conditions esets_http handles every object transferred in a way that the
object is first transferred from the HTTP server (resp. client) to esets_http , second, it is scanned
for infiltration and last, it is transferred to the HTTP client (resp. server). Concerning large files (the
large objects whose transfer time is larger than timeout defined by the parameter lo_timeout)
this becomes not very suitable scenario as the user agent’s timeout or user’s impatience can
cause interrupts or even canceling of the objects transfer. Therefore other methods to process
the large objects must be implemented.
5.3.1. Method of deferred scan
The
esets_http
implements standard so-called ‘deferred scan’ method of large files handling.
This means if object transferred becomes large the esets_http starts to send the object
transparently to an awaiting HTTP end-point (i.e. client or server). After the last part of the object
has arrived to esets_http , the object is scanned for infiltrations. If the object has been found as
infected the last part of the object (current version of ESET Gateway Security defines last part as
last 4KB of object’s data) is not sent to the awaiting end-point and the connection with the end-
point is dropped. In parallel, the e-mail notification is sent to the Gateway administrator with
the relevant information about the dangerous file transfer. Note that the notification is sent only
in case of server to client data transfer. The URL of the source object is stored in this case in the
esets_http
cache to block the source transfer if requested again.
In this place we would like to point out that the ‘deferred scan’ technique described above
presents potential risk for the computer whose user agent requested the infected large file for
the first time. The risk resists in that even data transfer of an infected object has been deferred
some parts of already transferred data can contain executable danger code. That is why the ESET
developed modification of the ‘deferred scan’ technique called ‘partial scan’ technique.
5.3.2. Partial scan technique
The ‘partial scan’ technique has been developed to safeguard ‘deferred scan’ method.
Operation principle of the ‘partial scan’ technique is based on the idea that scanning time of
a large object is negligible as compared to overall process time of the object. Note that this
condition is fulfilled in case of HTTP transfer of large object as significantly higher time is needed
to transfer the object than to scan it for infiltrations. This assumption allows us to perform more
than only one scan during the large object transfer.
Once parameter
lo_partscan_enabled
is enabled in [http] section of ESETS configuration
file the large object is scanned for infiltrations during its transfer in some predefined intervals and
data scanned are sent to awaiting end-point (i.e. to client or to server). Using this method there
is no way to pass any infiltration to the computer whose user agent has requested the large
infected object as each portion of the data sent is already ensured to be secure.
It has been proved that in the common circumstances (by means the speed of the Gateway
local network connection is orderly higher than the speed of the Gateway connection to the
Internet) the process time of the large object transfer with the ‘partial scan’ technique used is
approximately the same as when the standard ‘deferred scan’ method used.
chapter 5
Integration with Internet Gateway services