Peter, One more thing I was thinking of... wouldn't it make quite a bit of difference as to what the value of the "proxy_behind" token in /etc/iscan/intscan.ini is set to? I've got mine set to no, and have told InterScan that it is not to act as a proxy but rather it is to pass proxy requests off to localhost:3128, thus InterScan only scans http traffic coming to and going from that proxy server (in this case, this is our parent proxy server, so everything coming from one of the child proxies goes here first -- to be scanned and to check the parent cache.) Not sure if this clears it up, but basically I believe this is a "proper" configuration, furthermore, we've stopped several viruses with this configuration in place, and it is not suceptible to the CONNECT flaw that Interscan seems to otherwise be suceptible to. Best Regards, Corey On Mon, 2002-02-25 at 15:50, Peter Bieringer wrote: > --On Monday, February 25, 2002 03:26:16 PM -0600 "Corey J. Steele" > <csteele@good-sam.com> wrote: > > > We have VirusWall listening on port 8080, and then sending > > non-viruslaced requests to a SmartFilter-enabled SQUID proxy. All > > systems are Linux based -- most are Red Hat 6.2, with latest > > applicable patches. We built squid ourselves to include > > SmartFilter. > > > > Hopefully this helps... > > > Hmm, will you say that if interscan uses as second stage a squid, the > interscan HTTPS-proxy is disabled? > > Otherwise following message should be imho displayed after a CONNECT: > HTTP/1.0 200 Connection established > Proxy-agent: InterScan 2.0 > > > > [csteele@ws47619 csteele]$ telnet viruswall 8080 > > Trying XXX.XXX.XXX.XXX... > > Connected to viruswall. > > Escape character is '^]'. > > CONNECT mailserver:25 / HTTP/1.0 > > > > HTTP/1.0 403 Forbidden > > For me it looks like more: > > client -> squid -HTTP-> viruswall -> internet > -CONNECT -> internet > > > But this is what I understand you've described: > > client -> interscan -> squid -HTTP-> -> internet > -CONNECT -> internet > > > TIA, > Peter -- Information Security Analyst Good Samaritan Society e-mail: csteele@good-sam.com voice: (605) 362-3899 PGP Key fingerprint = 564F 2A97 2ADA F492 F34C 8E4A 12AF 9DC3 400E 2DD6
