Proactive detection mode vs. Stream detection mode

As I wrote a while ago, we had great performance improvements with Antivirus Scanning and the R71 release. On the same UTM-1 hardware the throughput doubled. While this was true for my lab testing, real world testing didn’t show the same results. Upgraded systems had no better AV performance and only slightly more overall performance was showing.

The reason for that is that an upgraded systems keeps the old way of detecting viruses, the Proactive detection mode. In this mode, the traffic is trapped by the kernel and forwarded to the security server. The security server then forwards the traffic to the Antivirus engine and the traffic is allowed or blocked, depending on the response of the Antivirus engine. It is necessary to store the whole file first before scanning it.

The new Stream detection mode doesn’t need to store the file for scanning. Stream detection is able to scan uncompressed and compressed traffic while it is passing through the gateways kernel, doing decompression on the fly.

Stream detection mode works only signature-based, whereas Proactice detection mode works with Antivirus signatures and in addition with a sandbox where heuristic behaviour scans are done to detect malware, even if there no signature available at the moment.

Stream detection is default on fresh installations, so that’s why you can see great performance improvement on R71.

The mode can be changed within SmartDasboard -> Antivirus & URL Filtering tab -> Antivirus -> Security Gateway and then choose the desired protocol.

Configuration of Antivirus detection mode

HTTP and SMTP can work with Stream detection mode and Proactive detection mode, POP3 and FTP only work with Proactive detection mode.

While I appreciate the performance improvement which can be gained using Stream detection mode, I think we lower security a little bit by abstain from using Proactive detection mode.

This decission should be made with careful consideration of the specific setup and customer need. If you use solely Stream detection mode, make sure to have a good Antivirus solution from another vendor running on the end user’s desktop to double-check for malware.

Comments

0 Responses to "Proactive detection mode vs. Stream detection mode"

Post a Comment