• Home
• Products
• Zorp
• Modules
• Content vectoring

• Purchasing
• Information
• Print
• Send to mail

Virus filtering and content vectoring

Thorough and deep-level filtering of the network traffic became essential because of spam, viruses, trojans, and other malicious contents. This task is performed most conveniently at the network perimeter, as all traffic to and from the Internet must pass this point. The Zorp Content Vectoring (ZCV) framework - building on the Zorp application-level gateway - can analyze more than 10 traditional and embedded protocols, and natively supports high availability and load balancing. ZCV also helps to filter encrypted protocols (HTTPS, POP3S, etc.) that are used to download malicious codes with increased frequency.

ZCV in a nutshell

The Zorp application-level gateway inspects only the protocol-specific part of the traffic; ZCV examines the content. ZCV is not a content-vectoring engine, but a framework that provides a uniform interface to manage and configure several content-vectoring modules, like virus- and spamfilters. Zorp passes the data to be examined to ZCV, along with parameters like traffic type, etc. ZCV forwards the data to the content-vectoring modules, so the actual content filtering is performed independently from Zorp, and can even be performed on separate machines. This architecture supports content-vectoring clusters as well.
ZCV can be configured to examine the data with different modules, or with different configuration of a module, based on the parameters of the inspected connection or file. The same module with different parameters can inspect different services, for example, a virus filtering module can examine all files passing the firewall in HTTP traffic, and all e-mail attachments - with different settings. Different types of files or traffic can be inspected with different groups of modules. In the above example, the HTTP traffic can be inspected with a virusfilter and a content-vectoring module, and all client-side scripts can be removed, while the same virusfilter module (possible with different settings) and a spamfilter can examine the e-mails.

Trickling

ZCV supports the so-called trickling to avoid timeouts and increase user-satisfaction. This means that the proxy can send small bits of data to the client, who feels that the data is coming steadily, but slowly. Trickling can start while the file is being downloaded, consequently the trickled data cannot be filtered for viruses. Theoretically, this may allow a virus to get through undetected. To avoid this situation, ZCV calculates the size of the trickled data from the size of the downloaded file. Since the trickled file is incomplete, the chance of a working virus reaching the client is negligible.

Quarantining

Files that the content-vectoring modules reject as infected or spam are usually deleted. As this is not always acceptable, temporarily the data must be stored in a safe location, until it is determined whether they contain any important information. Sometimes a file is important even if it is infected, because disinfection is not always possible and can also damage the file. Also note that the virus- and spamfilters are not unfailing, and occasionally reject "innocent" files or e-mails.
All ZCV modules use a common quarantine. The size of the quarantine is flexibly adjustable based on the number, size, or date of the files in the quarantine. Such rules can be assigned to the different types of quarantined files based on the metadata stored about the file (e.g.: type of infection, used protocol, sender of the e-mail, etc.).

Supported modules

With the help of ZCV, Zorp can filter over 10 protocols for viruses, including encrypted protocols like HTTPS and POP3S.

Currently ZCV supports the following modules:

1. Virus filtering modules
   1. ClamAV (www.clamav.net)
   2. Kaspersky (www.kaspersky.com)
   3. NOD32 (www.nod32.com)
   4. VirusBuster (www.virusbuster.hu)
2. Spam filtering modules
   1. SpamAssassin (spamassassin.apache.org/)
   2. Commtouch (www.commtouch.com)
3. An HTML filtering module capable of filtering JavaScript, ActiveX, Java, and Cascading Style Sheets (CSS) - in addition to general content filtering.
4. A general stream filtering module (sed) capable of filtering and manipulating the strings in data streams.
5. A general e-mail header filtering module (mail-hdr) capable of filtering and manipulating e-mail headers.