×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Network malware scanner vs IPS

Answered Question
May 28th, 2014
User Badges:

Hello, 

I confused these days about the difference between Network malware scanner and the IPS.

For example - Cisco doesn't have integrated malware scanner in the NGFW, but some vendors have. What is the purpose of having IPS and malware simultaneously? The only thing i can think about is malware scanners can fix infected files (on IronPort ESA for example) and IPS directly drops traffic.

Correct Answer by jason.loera about 3 years 2 months ago

An IPS scans packets whereas a malware scanner scans files. With the Cisco IPS, you can configure in either promiscuous or inline modes. In inline mode, the IPS can identify and drop malicious packets before they're unleashed on the network. In promiscuous mode, a copy of each packet is sent to the IPS and malicious packets are identified after they arrive at their destination. This means viruses, malware, etc. can potentially be activated on the network.

A network malware scanner scans for already installed malware. For instance, if a new flavor of malware is sent as an attachment to an email address on your network, the IPS will not pick it up since it doesn't have a signature for it. If the attachment is opened, it's unleashed. If you have periodic scans done with your network malware scanner, this is something it'll pick up.

Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jason.loera Wed, 05/28/2014 - 08:13
User Badges:

An IPS scans packets whereas a malware scanner scans files. With the Cisco IPS, you can configure in either promiscuous or inline modes. In inline mode, the IPS can identify and drop malicious packets before they're unleashed on the network. In promiscuous mode, a copy of each packet is sent to the IPS and malicious packets are identified after they arrive at their destination. This means viruses, malware, etc. can potentially be activated on the network.

A network malware scanner scans for already installed malware. For instance, if a new flavor of malware is sent as an attachment to an email address on your network, the IPS will not pick it up since it doesn't have a signature for it. If the attachment is opened, it's unleashed. If you have periodic scans done with your network malware scanner, this is something it'll pick up.

Jason

Alexander Vasilev Sat, 05/31/2014 - 00:14
User Badges:

Thank you for the answer, Jason!

And the malware scanner is working only on specific ports - 80, 443, 25...

I think it is more clear for me now.

Best regards!

Actions

This Discussion