Hello untanglers ;)

I just discover untangle and I'm very happy to use it.

But I have a problem with the Virus Blocker module in untangle 5.3: if a virus is found on HTTP by ClamAV then I have a event in the log but I don't have any message in the web browser (IE or FF).
The infected file is partially downloaded (trickles feature) but I don't have message and I cannot bypass in case of false positive.

I did a test with this file :
http://dsy.online.fr/tmp/avtest.exe
This is not a virus, this is freeware program named SuperCopier. I'm using it for testing because ClamAV detect all programs using hook feature as a virus.

I read many posts about corrupted files but it seems nobody have the missing message problem. I know there is a bug about message format. In my case, the file is downloaded as if untangle does not process it but there is a log in the untangle console.

I tried to disable/enable HTTP resume without success.
I tried to change trickles value to 100% to let the user to have a valid file and keep the log but 100% trickles is rejected.

Users should have the choice when downloading a file by HTTP to bypass antivirus because ClamAV have many false positives. And even commercial anti-virus could have false positives.

If there will be any way to bypass AV control, users will use it to download what they want with no regards to AV cautions. I've had users that even clicked "ignore" button in AV warning screen just because they beleive that those icq smiles pack is too funny to contain viruses...

Well, sometimes this option could be useful, but in such case it should not be global, but enableable per-user only.

Yes, I agree with you. Some more parameters should be fine.

I don't think the Virus Blocker is usable like this for HTTP protocol because of false positive and missing features. I'm curious to know if someone use the Virus Blocker with ClamAV. Did you remove AV from workstations and keep only untangle ?

I would like to use the Kaspersky Virus Blocker but I'm not sure if it would be better because of : false positive, missing user message, missing admin alert, disabled resume feature, etc..

And the best is "Scan trickle rate" : why provide a choice for this value. Did you prefere a 10% corrupted file or 90%. No I prefer to download all data or None. I understand this value is for performance tuning but why would an user to have a partially downloaded file ?

I'm thinking to study an alternative because I have another issues:
-FTP interruption with large file upload to our server
-Skype VOIP interruption
Its seems that we have timeout problems. May be I'll create new posts for theses problems but I don't hope to resolve these issues... it's pity.

Does Microsoft ISA Server is better for HTTP virus blocker ? I read on this forum that resume feature seems to work.

I removed auto-negociate from my external NIC and network interruptions are disappear now.

Only the Virus Blocker have malfunction.