Product Reviews

Download Lockdown

Worried about trojans and viruses sneaking in with downloaded files? DownloadSecurity can help you stop them at the gate.

• By Chad Todd
• 02/01/2005

If you’re running Internet Security and Acceleration (ISA) Server in your environment, then GFI DownloadSecurity could be a solid addition to your security infrastructure.

Two of the more common ways a virus can get into your network are through e-mail and Internet surfing. A lot of companies put e-mail scanning software on every workstation and server. Any message containing a virus is deleted or quarantined for administrator approval. While this is effective, it isn’t the most efficient way to protect your company from infected downloads.

Passing the Test
DownloadSecurity scans all HTTP and FTP downloads and provides virus protection, trojan and executable analysis, and file blocking based on file types and file extensions. Only after a file passes all of those tests can you then download it to your network. You can configure the software to either automatically delete or quarantine suspect files.

DownloadSecurity supports four virus engines—Norman Virus Control (www.norman.com), BitDefender (www.bitdefender.com), Kaspersky (www.kaspersky.com) and McAfee (www.nai.com)—that you can enable in any combination. Using multiple engines increases the probability for effective virus detection, but using all four slows down network operations too much. Using two engines provides a good balance of security and performance.

Norman and BitDefender, along with a year of updates for each, are included with DownloadSecurity. The software automatically installs new virus definition files as they are released. Kaspersky and McAfee are available for the first 30 days as a free trial, but you must purchase them separately after that.

A Horse Is a Horse
The virus engines will detect any known trojans, scanning against more than 35 definitions in the trojan and executable database (see Figure 1). You can configure the sensitivity of the scanner by choosing one of three settings:

• Low Security: Quarantines files containing at least one high-risk signature.
• Medium Security: Quarantines files containing at least one high-risk signature or multiple low-risk signatures.
• High Security: Quarantines all files that match any signature.

Figure 1. DownloadSecurity’s trojan and executable scanner compares a suspect file’s actions against a database of more than 35 prescribed definitions. (Click image to view larger version.)

For unknown trojans, DownloadSecurity uses a trojan analyzer. The software disassembles all executable files and compares their action to a database of known trojan actions. Any file matching a trojan signature is considered malicious and quarantined. For example, DownloadSecurity will check to see if an executable tries to add or modify local users or groups. If so, it will quarantine that file.

DownloadSecurity also scans attachments. You can configure different rules and apply each rule based on the domain user name or group membership. Set up the rules to block all downloads, block downloads based on a list of file extensions or block files based on file size.

When a file matches the rule, you can configure the software to either quarantine, delete or move the file to a specific folder. DownloadSecurity will then send a notification to the user, the user’s manager or both. You can choose to log blocked activity for auditing purposes. DownloadSecurity also includes a decompression engine (that recognizes more than 70 compression formats) to decompress files for scanning.

Whenever DownloadSecurity quarantines a file, it sends an e-mail alert to the user who attempted to download the file and to that user’s manager (or you, as the administrator). By default, the moderator is the user’s manager. You can then approve the download, delete the download, or delete the download and then notify the user of your action.

You can also manage quarantined files via the Windows moderator client or the Web-based moderator client.

Meeting Expectations
The real beauty of DownloadSecurity is how quickly you can have it installed and running. The install takes less than 10 minutes and doesn’t require a reboot. The default settings are too restrictive for many environments, but any good security product should err on the side of being too restrictive.

The installation defaults include the following settings:

• All four virus engines are enabled. (I typically change this right away to just use two engines.)
• Trojan and executable analysis is enabled and set to medium security.
• Attachment checking is enabled for all users and set to quarantine any download ending with a specified extension. Most of the typical extensions are included.

GFI has done a good job with DownloadSecurity. I run it at my training center to protect all my classroom systems from viruses while students are surfing the Internet. It’s easy to administer and lives up to its claim of controlling all traffic coming into your network.