WinGate Forums

[Charles Silvia]

I am running a trial version of Wingate with Anti Virus and Site filtering plugins.

Wingate and plugins are installed on a 30 Gb disk on the server, but not on the system disk, which is quite small and only has about 60 Mb of free space. This has proven to be adequate in the past since the server doesn't do much except serve the large shared disk and run the proxy server.

Problem: When a client tries to down load a large file (in this case a game demo of >1Gb) nothing seems to happen on the client. It appears as though the browser is attempting to connect to the download site.

However, I notice that on the server, the system disk is slowly filling up (don't know in what directory). GateKeeper shows the download activity. When the system disk runs out of space, the download is canceled( as shown on GateKeeper), and space is returned to the system disk. Gatekeeper shows no further web activity for the client.

On the client it still appears to be attempting to connect to the download server.

I know this is not the fault of the download site, since when I avoid Wingate by doing the download on the server itself, I immediately get the
open/save dialog box typical of downloads.

Is this Kaspersky? Puresight??

I cannot see where any buffer files for Kaspersky can be set. Do they always go to the system disk??

It seems to me that even if the system disk were large enough to hold the entire file download it would be very inconvenient for the client to have to wait an hour before even seeing the save/open dialog.

What can I do about this?? Any suggestions will be appreciated.

[Charles Silvia]

Ok. Nevermind. I found a posting on YouTube problems that provided the
answer about drip settings for the plugins.

[Charles Silvia]

Nevermind the nevermind! It seems that only half the problem is solved.
Setting the drip feed option on the plugins allowed the download to procede on the client and, in fact allowed it to continue well past the point at which the system disk is filled. So, during the entire period of the download, the system disk on the wingate server is at zero blocks available.

This obviously makes the saved .TMP file useless for whatever plugin is going to try to use it, and poses potential problems for other services running on the server.

Incidently I found the TMP file on C:\WINNT.

Is there any Gatekeeper setting or registry setting that I can use to change where Wingate or its plugins stores TMP files??

[Nev]

Hi Charles,

The times I have noticed Wingate create .tmp files they are in my Environment Variable defined location which I create on all servers to monitor these files and clean them out periodically in one process.

If you run the 'SET' command where is the TMP // TEMP variable?

If it's C:\windir you could change the Environment Variable to the larger drive perhaps.

Hope this helps, drop a line back to let the board know.

[Charles Silvia]

Thanks for thinking about this. But unfortunately, neither TMP nor TEMP
enviroment variables is pointing to C:\WINNT. They point to C:\TEMP which is empty and C:\TMP which doesn't exist.

I'll repoint these to another drive just on the off chance that Wingate is picking up the %SystemDrive%\TMP and when \TMP isn't there uses windir as a default. Not very hopeful....

[Charles Silvia]

As expected there was no joy with the above attempt.

Further examination reveals that both Kasperski and Puresight do this. Since only one TMP file is created they obviowsly share. A work around is to set the selected download site as an allowed exception in BOTH pugins. This is problematical in general however, since, even with my small home network, it is imposible to always know in advance the actual source of the downloaded file or video.

I must say that I find this to be a poor design choice for these plugins. I can't imagine why either plugin needs the entire file to do its job. Even with the drip feed feature enabled it makes the viewing of long videos tedious since after 3/4 of the video plays it must freeze while the remaining quarter is downloaded and the whole file "analyzed". And speaking of which, do the developers of Puresight expect us to believe that their software can examine streaming video and determine the nature of its content. And while I know little about virus filters, I do know that I have not seen such behavior in any of the other Virus blockers I have used.

This really ought to be dealt with on the next release or different vendors found to provide these plugins. (Panda Antivirus and SmartFilter were the plugins I used with Winproxy at about the same license cost, and they performed flawlessly from my perspective.)

I still invite and will greatly apreciate any further suggestions on settings that I might try.

[adrien]

PureSight shouldn't be messing with anything except for content types of text/html

The WinGate framework is the one that creates that temp file. It will put it in the temp folder related to the user context it is running in. Since by default this is the LocalSystem account, then the temp folder should be in the windows\system32\Temp folder.

This is all changing for the next version, so I'll make sure users can specify temp file locations.

Kaspersky Labs scanning SDK requires the whole file in order to be able to scan it. I don't know how the Panda one works.

In general though, if the file is being sent through to the client as it is being scanned, can a scanning engine guarantee what is being sent is safe? I think that's not possible to guarantee, so therefore it's not safe to send any of that file until the whole thing has been scanned.

Having said all that, for multimedia content, it's not going to be executed on the client. But again, we don't know what exploit may appear which may target a media player. So the question then remains about whether it will always be safe to not scan multimedia content.

In the meantime, you can exclude Kaspersky from scanning things based on the URL or parts thereof. This also is being greatly expanded for the next version.

[Charles Silvia]

Thanks for paying attention.

On Kasperski, while I am no expert on virus detection, it is my understanding that most virus checkers relie on the presense of signatures or other features which identify malignant code. Since such signatures are relatively short, it should only be necessary to scan each two consecutive download buffers for the presence of such a signature.
Of course, these signatures are likely to be obscured during download by whatever (if any) compression/encryption algorithm is applied. So it is always possible for malicious code to sneak through.

For this reason, I like Mr. Baker, have never viewed the proxy filtering as anything other then a first line of defense. I continue to use local scanners such as Norton on each client PC. I think that at the proxy level, the priority should be for thru put rather than some vain attempt to provde perfect protection.

As for Puresight, the above arguments apply in spades. Pornographic words and phrases are either going to be totally obscured by compression/encryption, or are going to stand out like sore thumbs in any scan of two buffers. Viewing the whole file should not, in my humble opinion, be necessary.

I wish you well in improving Wingate. If you get it good enough, I'm sure that Blue Coat will make you all millionairs just so they can shut you down.

[adrien]

Kaspersky Labs scanning technology does a lot more than just look for signatures.

It does heuristic evaluation which you can't do with just a couple of buffers of the file.

It also unpacks archives, even broken ones looking for viruses.

If you were used to Panda and all it did was scan for signatures in raw content, well Kaspersky scanning is a completely different beast, and absolutely requires the entire content.

[Randy Baker]

Adrien:

I don't want to rehash the reasons why I would like an alternative to Kaspersky, even though it is most likely a superior product from the methodology you describe. For most of the sites I am involved with, Kaspersky would be an ideal solution, but not all.

For the next version of WinGate, is there any plan to incorporate other plugins, including alternative A/V solutions? I am considering Wingate for the current site I am testing, but I am definately not going with Kaspersky for perimeter based protection. Internal protection will have to suffice.

[Charles Silvia]

My appologies to the authors of Kasperski. I am sure that they provide excellent protection.

None-the-less, in the security vs. functionality trade off balance, Kasperski's cost in functionality is not worth the added security it claims to provide for my purposes. ( Incidently, I don't pretend to know how Panda works, only that it was effective and more functionally friendly in my environment.)

I second Mr. Baker's request for additional options on Wingate plugins.

[Charles Silvia]

sorry, some kind of glitch cause the above post to be enteredc 3 times.

[Charles Silvia]

No entry.

[adrien]

So one question I have - if you are downloading a file through a proxy (say WinProxy), and the proxy is scanning it for viruses but also passing it through to the browser at the same time, what happens if the scanning detects a virus? Do you get

1. A partial / broken download?
2. any sort of message saying what's going on?
3. something else?

We are targeting option 2, which you can't do if you've sent any of the data to the client already. We don't believe a partial download is safe, it could still function.

Adrien

[Charles Silvia]

These are good questions. And I don't have the answers.

I also think they are somewhat irrelevant. At the client level both Norton and McAfee a/v systems claim to establish local firewalls and provide scanning of incomming http and other loads from removable medial. Neither is as intrusive to normal downloading activity as Kasperski and both are generally held to provide adeqate protection for the average business and home user.

Security means different things to different people. There are government agencies where the PCs are not allowed to have removable media attached and have no connection to the outside world at all. Very secure, but not very useful to most people.

All I am saying is give your custommers and option.

[adrien]

One way to find out the answers would be to try downloading a test virus file, and see what happens. Unfortunately the most common test virus file (www.eicar.org) is only 68 bytes long so doesn't compare to a large download.

In any case, we do give our customers the option, which is why we have the drip-feeding setting in the plugins pane of the WWW proxy. You get to choose whether the file gets dripped down to the client (so the client gets some sort of responsiveness) or not (in which case the entire file must come down first), and you get to control the threshold where it kicks in (i.e. don't drip-feed files smaller than a certain threshold).

Regards

Adrien