Before I buy

Forum for support for the Kaspersky AntiVirus for WinGate plugin

Moderator: Qbik Staff

Before I buy

Postby ngrayson » Oct 17 05 11:13 am

Guys,

I have a few presales questions for you. I have a small LAN at home 4 users. Wingate is on an seperate XP Pro machine which is a 1.2G Duron with 512M memory. Internet is via USB ADSL modem. Server is used as

Printer server (sporadic printing say 10 pages a day)
File server for random file storage and kids play MP3 files served from this server although not all the time.
Wingate
VPOP3 (runs every half hour)

The kids do hammer the internet at times although I have not seen the processor anywhere near maxed out.

1) Minimum hardware required? Is there sufficient horse power in the Duron and 512M memory to run Kaspersky as well as the above? If not the Mobo will take a semparon so what speed.

2) Is the 6 user license the same as Wingate i.e. can have more users programmed but only concurrent users.

Many thanks in advance,
Neil
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby adrien » Oct 18 05 6:42 pm

Hi Neil

that machine should be plenty quick enough.

As for the licensing question, yes, it's based on concurrent users, same as WinGate.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby ngrayson » Oct 18 05 8:37 pm

Hi Adrien,

Thanks for the reply, I'll be buying & installing this weekend.

Cheers
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby ngrayson » Oct 19 05 9:07 am

Hi,

OK, so I purchased it and installed it tonight and it was a big anticlimax.

The engine is reporting as being from 2003, I cant see where I can find out if I have the latest signatures or if its even doing anything.

If it does find anything, does it log it?

Also, I cant access it from a remote gatekeeper, do I have to install something on the remote machine?

Am I just expecting to much?

Cheers,
Neil
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby Nev » Oct 19 05 1:21 pm

ngrayson wrote:Hi,

OK, so I purchased it and installed it tonight and it was a big anticlimax.

The engine is reporting as being from 2003, I cant see where I can find out if I have the latest signatures or if its even doing anything.


Hi Neil,

You can check on the plugin from Gatekeeper's toolbar, where it will report whether it has current signatures or not and you can force a manual update.

ngrayson wrote:If it does find anything, does it log it?


Yes in the System messages.

ngrayson wrote:Also, I cant access it from a remote gatekeeper, do I have to install something on the remote machine?

Am I just expecting to much?

Cheers,
Neil


My experience is that the plugin has saved thousands of hours in workplace productivity for a couple of SME type networks, by excluding malware so it is brilliant really!

To test the plugin enable it in the WWW proxy and Transparent Redirection, then from a client and try downloading http://www.eicar.org/download/eicar.com as an example.

Report back how it goes!
--
Nev.
Nev
WinGate Guru
 
Posts: 861
Joined: Sep 22 03 11:35 pm
Location: Mudgee ~ NSW ~ Australia

Postby MattP » Oct 19 05 1:48 pm

ngrayson wrote:Hi,


Also, I cant access it from a remote gatekeeper, do I have to install something on the remote machine?

Am I just expecting to much?

Cheers,
Neil


Not at all, you just need to run the GateKeeper.exe from a mapped drive. You'll probably notice that the history pane is blank too. So just map a drive to your WinGate server, and run the exe from there, you can copy the exe to your desktop if you need to.
MattP
Qbik Staff
 
Posts: 991
Joined: Sep 08 03 4:30 pm

Postby ngrayson » Oct 20 05 7:59 am

Thanks for both replies.

I can see where the signature update is indicated. Last night dispite manually kicking of an update this still showed some time in 2003 but it now shows up to date. SO great stuff

I tried the EICAR site and indeed it did intercept it and quarenteened it but I got no message in wingate either in the system messages nor the kaspasky log. strange?

I had already got the gate keeper exe on a remote machine and was aware of the shared drive trick for history. I had not bothered about that but today I shared the area where I store the logs, (also has a copy of gatekeeper.exe) and mapped this as drive W. I now get history but when I try the kaspesky plug in it brings up the plug in window and it says it is unable to load in gatekeeper.

Overall I'm happy but would like to see some messages as its suggested that I would see and would like to be able to configure it from a remote gatekeeper.

Any more ideas guys.

Many thanks in advance
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby adrien » Oct 20 05 11:45 pm

we have a new version out in the very near future.

That should address the logging issue. As for the remote access, if you can't map a drive or use remote desktop to the server, then there is still an issue.

We are working on a new architecture to get around this, like the activation client uses (separate GUI vs engine DLL, GUI DLL shipped to GateKeeper etc etc).

thanks

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby ngrayson » Oct 21 05 12:35 am

Hi Adrien,

I think that we may be crossed somewhere.

Matt suggested that I just run gatekeeper from a mapped drive.

Early on, I did not want my logs in the wingate directory so I changed the logging drive/directory (registry change) to another area. This area is mapped as a drive on the remote host. I have i nstalled gatekeeper on there and sure enough, I can see the history but the Kaspersky plugin will not appear.

I think may be the crossed link is that I need to move logging back to the wingate install directories, share the whole of the wingate root directory and than map this and run gatekeeper from there.

Is that what Matt implied?

If so, I can now do that (previously under windows 98 it was more of an issue).

Cheers,
Neil
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby ngrayson » Oct 21 05 12:49 am

OK guys, ignore my last posting.

I have decided to map the install directory and I can get to the kaspersky entry remotely.... that'll do for me.

I do have a last curiosity though.

Does Kaspersky cash quarenteen entries?

on each o the machines I have tried the EICAR test and its intercepted and quarenteened it first time. If I delete the quanrenteen entry from the pane in gatekeeper using the delete key, then on a client which was previously tested do it again, it intercepts but makes no quarenteen entry ever again.

Any idea's on that one?

Cheers
Neil
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby adrien » Oct 21 05 10:48 am

that's a new one on me.

I'm wondering if the client has a cached copy of the failure screen that told them the request was blocked. We see many times the same files quarantined (esp for mail).

Due to IE's "show friendly error messages" setting, we can't send error messages to a client unless we make the HTTP return code indicate success. So it's possible the browser cached it (although I'm pretty sure we set a no-cache tag in our response).

If in doubt, you should be able to turn on debug logging on the WWW proxy, and see what is really going on.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby ngrayson » Oct 21 05 10:18 pm

Adrien,

Many thanks. Armed with this I'll do some digging to see whats going on.

I did discover that one of the machines generate a quarenteen entry each time even if you delete the previous so its something odd.

If I discover what it is I'll drop the results here so that others can gain from it.

Cheers,
Neil
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby ngrayson » Oct 24 05 1:52 am

Adrien,

This gets more confusing:-

4 machines, ie 6 on all.

1 Windows 98, 2 XP pro SP2 and one XP Pro SP1.

Enter the EIcar test site and all get intercepted by Kaspersky which is good and what I want.

If I select the Address again and hit return, the progress bar at the bottom jogs along and I get another intercept message. I can do this many times. The only machine which generates aa quarenteen entry each time is the XP SP1 machine which has an earlier browser. I have checked the settings and they are all set the same (except that some versions have aditional options)

Now, to add to the confussion, having had issues with IE6, I downloaded Firefox 1.0.7 which is much better behaved.

Below is the proxy log of the same test, the first is when i type the entry and the other two were when I selected the address and hit return. It does indeed show three attempts to go to the site in the proxy log each was apparently intercepted and yet there is only one quarenteen entry

I'm stupified how one machine can do it and yet the others cant?

ON the machine where IE6 SP1 woks as I would expect, I install firefox and it generates a request each time but only one quarenteen entry.

Its clearly, not the machine and something to do with IE 6/firefox. Does anyone have any ideas? I'm not concerened that I'm not protected, that is clearly working, its just the fact that I dont know in the quarenteen log and therefor, how can I know for real in the future

10/23/05 13:11:34 192.168.0.1 administrator 0000007784 Debug: WWW Session sending server request in thread 81c
10/23/05 13:11:34 192.168.0.1 administrator 0000007784 Debug: Server response contains 68 bytes of resource data
10/23/05 13:11:34 192.168.0.1 administrator 0000007784 Debug: WWW Session processing HTTP response in thread 81c - response code 200
10/23/05 13:11:34 192.168.0.1 administrator 0000007784 Traffic 857 446 389 471 9s
10/23/05 13:11:34 192.168.0.1 administrator 0000007783 Requested: http://www.eicar.org/favicon.ico
10/23/05 13:11:34 192.168.0.1 administrator 0000007783 Debug: WWW Session sending server request in thread 1f8
10/23/05 13:11:34 192.168.0.1 administrator 0000007783 Debug: Server response contains 3969 bytes of resource data
10/23/05 13:11:34 192.168.0.1 administrator 0000007783 Debug: WWW Session processing HTTP response in thread 1f8 - response code 200
10/23/05 13:11:35 192.168.0.1 administrator 0000007783 Traffic 11894 359 302 11889 10s
10/23/05 13:11:45 192.168.0.1 administrator 0000007784 Requested: http://www.eicar.org/download/eicar.com
10/23/05 13:11:45 192.168.0.1 administrator 0000007784 Debug: WWW Session sending server request in thread 81c
10/23/05 13:11:45 192.168.0.1 administrator 0000007784 Debug: WWW Session processing HTTP response in thread 81c - response code 304
10/23/05 13:11:45 192.168.0.1 administrator 0000007784 Traffic 123 559 502 281 11s
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby adrien » Oct 26 05 12:59 am

Hi Neil

On the current version of WinGate and KAV, the data is checked once it is retrieved from the server.

Caching can get in the way of this, for instance if you hit refresh in a browser, and the server says "use cached copy". the return code you are seeing of 304 means that the server is telling the client that the file hasn't been modified since the client last got it.

This means the client is sending a request with a "If-modified-since" tag in it, which tells the server the date stamp of the version of the file that the client has. the server is telling the client to use its cached copy basically, so there is no further retrieval from the server, and therefore nothing to quarantine.

Try hitting ctrl-refresh. That makes IE do a real refresh without setting If-Modified-Since, which should then result in a quarantine entry for each request.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Postby ngrayson » Oct 26 05 7:24 am

Hi Adrien,

Thats the one mate!! Mystery solved.

Since I'm blindly trusting KAV to do the job, I needed absolute confidence and to understand the discrepency.

As far as I am concerned, I now do so and the case is closed.

Thanks for all the help,

One very happy punter!

KAV is another quality product.

Neil
BTW I see that your about to update KAV, since I have only just bought it will I get a free upgrade?
ngrayson
Senior Member
 
Posts: 178
Joined: Sep 28 03 12:13 am
Location: UK

Postby adrien » Oct 26 05 9:26 am

It will use the same license, so you would just upgrade KAV, and activate your KAV license.

Cheers

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to Kaspersky AntiVirus for WinGate

Who is online

Users browsing this forum: No registered users and 19 guests

cron