Without calling into question the broad value of the Virus Blocker app, I would not, in your case, add the app.

The malware category in Web Filter does 99.9% of the lifting already. And as Virus Blocker itself uses Bitdefender if I recall correctly... you're not adding any extra layers if you're using that on the end point...

So no, not much value there.

As much as I read in to the Virus Blocker App - It uses ScoutIQ Cloud AV and Bitdefender Engine.

What is ScoutIQ -> https://www.untangle.com/cloud/scout-iq/

Virus Blocker App -> https://www.untangle.com/shop/Virus-Blocker/

Plus it uses MIME Types - To Scan at appliance level is much better then the PC has to scan for it.

The Firewall should always be the first line of defense!

Best regards
Val.

Wow! Welcome to the forums and dang, you took a perfect swing and hit one plumb over the bleachers and out-of-the-park!
Clear, concise, and researched. Impressive!

Completely agreed. But let's think about the question before us:

As I read the question, it's a practical question not a best practices question. Because as a practical question, a question about adding additional cost to the subscription, it's not as straightforward as a best practices question might be.

There is perimeter antivirus protection in this scenario through Virus Blocker Lite. In this case, "Lite" is a little misleading since unlike all the other Untangle Lite apps, Virus Blocker Lite is intended to compliment rather than be replaced by Virus Blocker.

Virus Blocker Lite, like Virus Blocker, uses MIME types.

There is perimeter malware protection through Web Filter. Experience has shown that Web Filter reduces the impact of the Virus Blocker suite by being the first line of defense.

There is, in this scenario, a concern about managing the Virus Blocker license carefully and selectively.

So while I agree with your conclusion about perimeter defense as the best first line of defense, I personally can't make the argument, as a practical matter, that this HomePro user should invest in the $108/25 seat Virus Blocker license. I can't document a clear advantage over the tools already in place. That may be a defect in me, but just to explain my position.

EDIT: I'm a little confused about Virus Blocker Lite and whether ScoutIQ is part of that app under the HomePro license. I don't recall there being discussion that Scout IQ is not included with Virus Blocker Lite under the HomePro license, but it is otherwise a feature of Virus Blocker Lite.

Hmm... strange the Virus Blocker is included with the HomePro Lic.

Here a screenshot:


Scout IQ is not part of Virus Blocker Lite:


Allot of difference on the feature list.

Of course I myself use Virus Blocker,Webfilter,Firewall and Application Control with SSL Inspection. Works great together btw... ^^

Sincerely
Val.

As I pointed out via a link to it, the Untangle demo demonstrates that ScoutIQ is in fact a feature of Virus Blocker Lite. It is a feature of my home instance of Virus Blocker Lite.

My problem as a home user is that I'm a Home licensee. Early adopters of the Home license, long since superseded by HomePro, have a slightly different product from the HomePro product, so that introduces a little uncertainty when I'm talking about home license features.

But that there are differences between the actual features of Virus Blocker and Virus Blocker Lite is a good sign, since they're complimentary tools. Since Virus Blocker Lite is based on the venerable Clam AV, and since Clam AV is much better known for false positives rather than false negatives, and since I exclusively use Clam AV-based scanners on all my GNU/Linux boxes, maybe I'm just overly comfortable with Clam AV.

The ClamAV engine also uses a bucket more RAM, so in terms of system resources per session scanned, Virus Blocker is a substantial upgrade.

I still find WebFilter does most of the lifting in this space though.

As I understand it (and the reason I don't bother with the Virus app) is that it can't scan https/smtps/imaps traffic unless you use the SSL Inspection app that is mentioned above. If you're one of the folks who's belief and requirements dictate the trade off issues of using SSL Inspection is not worth it, then it's also not worth using the Virus app.

If you're running an open protocol server like FTP then yeah it makes more sense to use it.

I'm not familiar if the virus app scans SMB that doesn't cross a subnet or other egress point the firewall controls. I'd never use this app as a replacement for an antivirus solution for local clients - particularly if you have many of them.

As mentioned above, using some of the other Untangle apps to supplement a dedicated client side antivirus solution will help detect anomalies and patterns, specially when using SEIM products where everything all works together as more of a holistic solution.

There's just so many things to think about with SSL Inspection when used for business - all the legal aspect and policies around it such as HIPAA, GDPR, ISO, data obfuscation, end user waivers/notifications etc.

So for the reasons above in my personal environment, I leave the virus app off and reclaim some extra CPU cycles for other things.

So this had me really curious to do more reading and my assumptions in my original reply were correct.

Both pro and lite versions need open protocols to work. So much of the web no longer uses this anymore. The only practical use for this is if you're running an ftp server for support or what have you.

The cloud resources to supplement the local scan engine is cool and certainly a value added feature but if you're using the SSL Interceptor you will have to rely on the cloud service provider to properly anonymize the (meta)data. The Untangle write up talks a bit about scanning URL's which to me sounds redundant to the webfilter / IPS apps. If the Virus app pulls from another URL DB of known infected sites, then it's value added.

All that said though, the virus app (lite or pro) is absolutely NOT a replacement for a local antivirus solution installed at the client level. It just can't technically do the same things given the nature where data sits and is moved.

Side note: It blows my mind to find that Untangle offers a Bitdefender scan engine in their dirt cheap paid home user version. Pfsense and others rely on clam AV which is pale by comparison.

The full Virus app decompresses and scans archives *IF* they are unencrypted during transit (ie. http/ftp/smtp) AND not encrypted at the file level.


Virus Lite


Virus Pro


Virus Pro Showing Open Protocol Scanning Only


Virus Pro Options



Lastly, as you can see by the reports in the paid home version, it's all based on open protocols.

Yep, and SSL Inspector while valuable... is a giant pain. Which is why I rely on the malware category in web filter.

Can underline the statements here.... unless SSL is not inspected, only a few traffic is hit by the virus blocker in standard home usage. Ironically, most times virus signature updates for the clients.

I am using Virus Blocker Lite (ClamAV) and activated ScoutIQ. I think I‘ve read that ScoutIQ is also working with encrypted traffic, but do not exactly know what it does in detail....