Questions from a Newbie

I recently got this question with regard specifically to Blue Coat's products, and thought there might be others out there that were confused by this as well, so I'm republishing it here. The answer is the same for other similar web gatway products.

Hi Timothy,

I'm hoping you can clarify the features of ProxyAV and WebFilter for me. As far as I can tell, they both do inline malware detection as well as antivirus scanning.

It appears that ProxyAV is an additional hardware appliance you can use in conjunction with ProxySG, whereas WebFilter is just software that runs on ProxySG.

Is this correct? Are there differences between their functionality, or are they just two implementations of the same end result?

ProxyAV is a separate appliance and talks with ProxySG over a protocol called ICAP. It runs actual AV engines, and you can choose to purchase an AV license to run either Kaspersky, Sophos, McAfee, or Panda software on the ProxyAV device. It will scan any files you attempt to download from the web via the ProxySG for viruses and malware.

BCWF (Blue Coat Web Filter), on the other hand is a URL categorization database and back-end cloud service known as Webpulse. It puts URLs in categories. For example, google.com is in the category “Search Engines/Portals”. Some URLs are in multiple categories, for example, www.facebook.com/farmville is in both “Social Networking” and “Games”.
There is a “Malware” category in BCWF, but it doesn’t actually scan for viruses. It knows a particular URL contains a virus and keeps the URL in that category. Because of this if something is in an allowed category, e.g. google.com in “Search Engines/Portals”, and if somehow google.com gets infected with a virus, the ProxySG wouldn’t block it, even if you had the entire "Malware" category blocked, when you try to download the virus, unless you also had ProxyAV turned on to do file scanning and it detected the virus. For new URLs and new malware, often the categorization isn't in a local BCWF database, and the ProxySG can rely on up to date categorizations from the Webpulse cloud, which can also do real-time categorization.

Because virus scanning is also typically more CPU intensive, you would really rather not send stuff to it if you don’t have to. By having BCWF filtering with Webpulse come first, it provides a quick URL database search, and if it’s in the malware, phishing, spyware categories, you can block a significant amount of threats without having to use the resources of the ProxyAV engine.