Results 1 to 6 of 6
  1. #1
    Untangler
    Join Date
    Aug 2018
    Location
    Copenhagen, Denmark
    Posts
    50

    Default How does virus blocker work?

    Hi guys

    I have the full version of virus blocker, and I wanted to test it out, so I tried the 3 links on this page on my Mac:

    https://www.eicar.org/?page_id=3950

    None of themwere blocked by UT, any idea why? I have the default settings for the virus blocker app, and all of the different traffic types, http, ftp and smtp ticked.

    Thanks

    /Ulf

  2. #2
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,371

    Default

    From the eicar page:
    Sorry, HTTP downoad ist temporarily not provided.

    You must activate SSL inspector and install the certificate in your Mac
    The world is divided into 10 kinds of people, who know binary and those not

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    https says all you get is the SNI field so nothing will ever be scanned.

    SSL Inspector can be used... if you like making extra work for yourself. Both of the virus blocking modules have been all but useless for years, long since superseded by the anti-malware category that's enabled by default in Web Filter.

    That isn't to say the modules don't have value, because they do still help with FTP sometimes, but they have far less value in the modern workplace and home than they once did. We have better tools now. Web Filter and Threat Prevention work on reputation, which is FAR MORE RELIABLE than a signature check on an executable.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    705

    Default

    Quote Originally Posted by sky-knight View Post
    https says all you get is the SNI field so nothing will ever be scanned.

    SSL Inspector can be used... if you like making extra work for yourself. Both of the virus blocking modules have been all but useless for years, long since superseded by the anti-malware category that's enabled by default in Web Filter.

    That isn't to say the modules don't have value, because they do still help with FTP sometimes, but they have far less value in the modern workplace and home than they once did. We have better tools now. Web Filter and Threat Prevention work on reputation, which is FAR MORE RELIABLE than a signature check on an executable.
    Do you ever sell your clients DNS type services ? Example DNS filter or such services ? My old boss HATED UTM firewalls with a passion and always used Mikrotics or Pfsense. 2 years working there not a single virus infected computer etc etc.
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,485

    Default

    Quote Originally Posted by dashpuppy View Post
    Do you ever sell your clients DNS type services ? Example DNS filter or such services ? My old boss HATED UTM firewalls with a passion and always used Mikrotics or Pfsense. 2 years working there not a single virus infected computer etc etc.
    DNS Filter is in my stack, but I still prefer Untangle. The policy manager is leaps and bounds better at singling out specific people or machines for different filtration rulesets. DNS Filters limit you to a single ruleset for the enterprise. There are means of changing that... but all of them are limited.

    Also, DNS Filters are all uniformly utterly DESTROYED by DoH and DoT. You can resolve your names however you want with Untangle, that HTTPs session is still being managed by the platform.

    A quick tweak to the browser and all the DNS filtration in the world is irrelevant. Malware only needs to use its own hard coded DNS resolver to bypass the filters too. DNS Filters are garbage... but yes I do use them. They do work well in malware prevention, they completely suck at containment. Untangle does BOTH!
    dashpuppy likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,935

    Default

    To echo other responses: this module is really only useful today if you also have a solid SSL Inspector implementation, which is... difficult in many environments.

    As little as 5 years ago this wasn't a problem. Trusted certificate were out of reach of the malware pushers, and they didn't need them anyway. These days anyone can get a LetsEncrypt cert, and it's become worthwhile for the malware gangs to do just that. Just about everything now (malware or not) uses TLS, making this module much less useful.

    But all is not lost! The Web Filter app's Malware categories still catch a lot of malicious traffic, even without SSL Inspector.
    dashpuppy likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2