Dear Ofer Elzam, Of cause, this approach makes no problems in catching, for example, known ITW worms as executables or archives. Problems begin if you're trying to catch, lets say sites with Internet Explorer trojans. Remember Scob? Imagine what happens if Scob added to a page as a header instead of a footer. 80% and even 5% of the page have a good chance to contain fully working version of Scob before connection is terminated by filter. I know this problem it not eSafe specific. In fact, I don't know antiviral engine capable to catch signature in the stream of data immediately after signature is arrived in the stream. All antiviral engines I tested (KAV, ClamAV and others) are file-oriented. It makes it impossible to code good antiviral protection for proxy server with this engines. --Wednesday, July 28, 2004, 7:52:14 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: OE> In-Reply-To: <18610004519.20040724152743@xxxxxxxxxxxxxxxx> OE> eSafe Gateway uses a default value of 80% file download before OE> first inspection of executable files from HTTP servers. This value OE> can be changed to as low as 5% if desired. OE> We feel that the 80% gives a good balance between user OE> experience and security needs. Customers would usually want to see a OE> fast moving download progress bar. If we set the value to 5% - the OE> progress bar will move just a little bit (5%) when downloading and OE> the remaining 95% very fast as eSafe finishes the inspection. This OE> annoys users. OE> If antiviral filter checks data _after_ all data received from client OE> with 20% buffering yes, it's possible to bypass this check for HTTP, OE> because there is no way (at least for HTTP/1.0 and FTP) to indicate OE> error to client and make him to delete partially downloaded data. -- ~/ZARAZA Пока вы во власти провидения, вам не удастся умереть раньше срока. (Твен)