Which filters webpages first? IMON or Proxomitron?

The IMON HTTP scanning is working well on a game machine used by teenages. Below is example of the log. I removed the links per this forums policy. Also, no slowdown on this P4 2.8 machine.

Time Module Object Name Virus Action User Info

9/6/2004 0:23:01 AM IMON (edit) Win32/TrojanDownloader.QDown.L trojan connection terminated

8/28/2004 2:42:47 AM IMON (edit) Win32/TrojanDownloader.IstBar.NAD trojan connection terminated

8/23/2004 7:44:38 AM IMON (edit) Win32/SecondThought.C trojan connection terminated

8/23/2004 7:44:30 AM IMON (edit) Win32/TrojanDownloader.VB.DB trojan connection terminated

 

If IMON is monitoring ports directly, then it will act much like the web filters on most firewalls. In this case, it will filter incoming port 80 traffic before it reaches Proxomitron, Proxomitron will filter and sent it to your browser on port 8080 where, I suspect, IMON will filter it again before it reaches your browser (it will see the before/after Proxomitron traffic as separate HTTP connections).

 

Thanks Paranoid2000,

So then Proxomitron does not monitor the ports it filters directly?
If IMON does monitor the ports directly, then would both the firewall and IMON get the data at the same time to filter? If they are both independently scanning/filtering the same data at the same time, who gets to provide the data to Proxo and the web browser?

It is kind of confusing.

 

Devinco,
Filtering is not parallel, but sequential.

Server <--> IMON <--> Proxomitron <--> IMON <--> Browser

-hojtsy-

 

Hi hojtsy!

Thank you for clearing up the sequential versus parallel issue.

Mele20 suggests Proxo comes first like this:
Server <--> Firewall <--> Proxomitron <--> IMON <--> Browser

You and P2K suggest it goes like this:
Server <--> Firewall <--> IMON <--> Proxomitron <--> IMON <--> Browser

Which is the order of filtering?

 

That is the correct order - IMON will see the traffic before it reaches Proxomitron, however it will also scan the filtered traffic coming out of Proxomitron since it is checking port 8080 also.

You should be able to remove port 8080 and avoid duplicating this filtering if you can be sure that 8080 is only going to be used for Proxomitron - however some websites may try causing your browser to connect via this port so for absolute safety, restrict your browser to ports 80 (HTTP) and 443 (HTTPS) with your firewall if you decide to do this.

 

Thanks Paranoid2000!

It makes sense now.

 

Hello folks!

This is the correct order of events:
Server <--> Firewall <--> IMON <--> Proxomitron <--> Firewall <--> IMON <--> Browser

The browser sends a request to the proxy-server instead of sending it directly to the web-server. The proxy-server then sends a request to the actual web-server and sends the downloaded data back to the client. Both communications are HTTP, so the files gets scanned twice.... once when downloaded by the proxy-server from the actual web-server and then a second time when downloaded by the client from the proxy-server.

Fondant rearguards,
Bandicoot.

 

Thank you Mr Coot, as helpful as ever

Cheers

 

Thank you Bandicoot!

 

My sincere pleasure folks! I don't get on the forum that much coz I'm up to my ears along with all my colleagues in Support at Eset. We do our best to check posts and reply when we can. Must say a BIG thanks to Mr. Spear for being so prolific and active on this forum. What a nice man!..... despite what everybody else says about him.

Bandicoot

 

ROFLMAO, now where's me gun, there are varmints about, get that little rodent...