On 6/9/05, David Curtis <DCurtis@xxxxxxxxxxxxx> wrote:
> Does any one have a good way of preventing spyware with Squid? We run
> Squid and Dansguarian and we are looking to add some type of spyware
> prevention. We have looked into adding clamav to Dansguardian but are
> also looking to add something just for spyware.
A good start towards preventing spyware is to block spyware domains.
Squid can do this in an ACL, but not all spyware reports back via HTTP,
so you might want to instead/also block DNS lookups for known spyware
domains.
David Glosser has a good start towards this using BIND zone files, see:
http://www.bleedingsnort.com/article.php?story=20050303140654875
You might also consider running an IPS (e.g. "snort inline") configured
to drop sessions based on spyware signatures in the actual HTTP
conversation. This could run on the Squid host, or on a firewall or filter
between the Squid host and the raw Internet.
There are a number of commercial and free desktop products to block
and/or remove spyware at the desktop. Even if you are blocking spyware
at the gateway, adding additional client protection can only help.
Kevin Kadow
