Does Anti-Malware Ruin the Web Experience?

Surprisingly many admins who install secure web gateways or web proxies choose not to run an anti-malware or anti-virus engine on the external web traffic. While these same administrators wouldn't dream of letting email into the company without a virus scan, they don't hesitate to allow web traffic in without a similar scan. I've talked elsewhere on why you absolutely need anti-malware at the web gateway.

One reason I've heard for this reluctance to implement anti-virus at the web gateway is because of the end-user experience when scanning is on. For most end-users, the web is considered a vehicle for instant gratification. A delay of more than a second is generally considered unacceptable. Malware scanning inevitable introduces a delay, even if it's only on the order of hundreds of milliseconds.

What's even more surprising is that when an admin does agree to implement malware scanning, it's quite common for them to request it running on the same system as the web gateway (rather than on separate CPU processor linked via ICAP). By implement the malware scanning on the gateway, there's still the delay for the scanning, and now unless you're a fairly small site, you've also slowed down your web gateway adding another delay, which may be why admins see it as a problem. Having a separate CPU to process malware scanning makes sure the web gateway performs optimally, and allows the best reponse time for delivering web pages to the end-user.

There's also some new tools to make large file scanning more bearable for web pages. Gone are the days of requiring "patience" pages (pages that are displayed to a web browser asking for patience while an object is being scanned). Today, advanced web gateways allow for "trickle" based scanning, either trickle first or trickle last). What trickle does is allows part of a download to start while the scan is in progress. This allows the web browser to provide feedback to the end-user that activity is occurring, rather than the "hung" status that seemed to happen before trickle was available. Trickle would let almost all of the file get downloaded, but hold back the last part until the scan completed, and could abort the download if after scanning it was discovered the download was malicious.

So if you're finding you're reluctant to implement anti-virus and anti-malware scanning, look at offloading malware scanning to separate CPU, and implement trickle to provide feedback while longer scans are occurring, and you may find that anti-malware scanning is more acceptable in real time web environments than you previously thought.