IPS virus scan

whittington_uk · ‎10-27-2006

How conclusive is the packet scanning used by Cicso IPS? Would I be correct in suggesting that no uploaded file scan is required by the receiving server application if the packets passed through the IPS? Can viruses be properly detected piece meal (e.g. in packets) or, to ensure all known viruses are caught, do I again need to run virus software on the entire file?

mhellman · ‎10-27-2006

I have never seen the Cisco IPS referred to as an anti-virus product and have never seen it reviewed in that capacity. I would say it is unlikely to provide adequate protection from virii.

Even if you had a good gateway solution for anti-virus(which Cisco IPS isn't), I would still recommend running anti-virus software on your hosts.

whittington_uk · ‎10-27-2006

It has been suggested to me via a hosting company that the packet scanning for virus signatures within CISCO IPS was an effective measure for detecting malicious file uploads. What I'm taking away from you response is that it is not one of it's primary objectives or an effective one either.

RichardSW · ‎10-27-2006

I agree. It may stop some network worms that rely on buffer overflows to infect their target hosts, but you don't typically have ports open on the edge of your network that would allow that traffic to pass anyway. Maybe its helpful stopping some spyware/adware downloaded via malicious java applets, vbscript, and images - but that is also better stopped by strict policies on your machines.

Basically the IPS is good for recognizing and stopping network intrusions and in some cases extrusions. However if one of your users is uploading or downloading a malicious or confidential file over https/ssl, the IPS won't be able to see it anyway.

mhellman · ‎10-27-2006

Details matter(define malicious file uploads), but in general that is correct. A Cisco IPS sensor is not designed to protect against virus uploads.