a virus scanner on the router board

plisken · August 11, 2017, 1:38pm

For Mikrotik staff
Introduce you soon a virus scanner on the router board.
This would be very useful. Maybe an option for setting on USB stick?
Do you think so to make this possible?

mrz · August 11, 2017, 1:59pm

What would be the use for that?

plisken · August 11, 2017, 2:17pm

To provide a safe network for mobile phones ets.
There are already routers on the market with built-in virus security.
But a want and stay be Mikrotik Routers
IPhones can not run a virus scanner, they are also protected when Mikrotik Routers run virus protection.
This would be a big asset for Mikrotik Routers

ZeroByte · August 11, 2017, 2:45pm

I’m willing to bet that these virus scanning routers are only slightly better than worthless at actually providing real security from stuff. What’s worse is when users are lulled into a false sense of security by such devices and they get malware anyway. Excluding the high-end gear, most Mikrotik routers are just powerful enough to act as packet filtering routers at broadband speeds. Adding deep packet inspection to these things would greatly impact their performance.

BartoszP · August 11, 2017, 2:54pm

Similar thread to http://forum.mikrotik.com/t/add-print-server-printer-support/74629/62

We have “problem” with IntrusDave’s excelent script to update list of malicious IP as many routers do not have enough memory/disk.
Do we need “Virus scanner micro edition” for RB941, “Lite edition” for RB951, “Full verison” for … ?

bratislav · August 11, 2017, 3:04pm

Absolutely agree … and even the most powerful NGFW can not inspect SSL/TLS encrypted packets anyway (without meddling with Cert Store on each end user devices) …

mrz · August 11, 2017, 3:07pm

It is a nice marketing trick to buy their products, other than that mostly it is waste of resources.

whitbread · August 11, 2017, 3:14pm

Just regularly update your OS - and never believe in snake oil aka virus scanner!

Miracle · August 11, 2017, 5:03pm

Or Mikrotik make some feature monitor and analytics connect to detect unusual traffic (ex hacker thief data) ?

ZeroByte · August 11, 2017, 5:13pm

IDS/IPS is an area that requires lots of specific expertise and constant updates and being in sync with current threats in real time… or at least it does if you want to have a product/service which is actually effective. Mikrotik is not in that business. Any SOHO gear with “anti virus features included!” on the box is just trying to sell something. It would be like having some product that keeps your health in check and all it is is a bottle of vitamin C and some hand sanitizer.

plisken · August 11, 2017, 6:09pm

Do you have a Mikrotik firewall script that protects the user from this mallware?

msatter · August 11, 2017, 7:10pm

http://forum.mikrotik.com/t/suricata-ids-ips-integration-with-mikrotik-now-with-ossec/101160/1

Van9018 · August 11, 2017, 9:41pm

There is no router firewall rule that’ll protect users from malware. Routers with AV built in often only do a signature based detection which has a low detection rate.

Computer malware protection should be down on the user’s device. If you use Windows 7/10 Pro Edition, check out Software Restriction Policies.

To protect your Mikrotik router from being hacked, change the admin login and set a firewall so users can’t try and connect to any unused services on the Mikrotik. Or turn those unused services off.

I don’t foresee Mikrotik adding a unified threat management system to their routers. I think that would be a difficult market to try and push into.

doneware · August 15, 2017, 1:43pm

as many said, encrypted traffic (which seems to be dominating the internet nowadays) is invisible for this vapourware-type features. but similar issues may be coming up with compressed files, or archives with multiple layers of compression. and we barely touched the issue of overlapping fragments what-so-ever, where normally the device just forwards packets as they are, and now we’d expect it to reconstruct the application level payload and do some pattern matching there. this would require more beefier CPUs and a lot more memory - not to mention how this could be mis-used easily by funny guys with 42.zip, gzip memory bomb, and similar decompression bombs.

there are many brand firewalls running this type of feature, for example Juniper’s SRX, but in most cases they only inspect HTTP traffic, and do the inspection based on URL/URI reputation, and not actually scanning the payload [it can be done offline more efficiently]. even if they do payload analysis, to keep a balance between resource requirement and throughput, they most likely employ http trickling, where they do inspection while the traffic is forwarded, which can lead (quoting the original documentation: Warning: When enabling the trickling option, it is important to understand that trickling might send part of the file to the client during the antivirus scan. It is possible that some of the content could be received by the client and the client might become infected before the file is fully scanned.)

there are zillions of ways how to infect a target host, and claiming that network based antivirus is a solution to prevent this from happening is a bold lie. its like wrapping and Sherman/Tiger/T-34 tank into thin foil so it will be even more gunfire-resistant.

so, no, this is just vapourware in all aspects. and no, no traffic forwarding network element should be messing with payload scanning, as they will have no context to fully evaluate whether the content is malicious or not. relying on this as virus protection would be kind of reckless.

plisken · August 16, 2017, 11:36am

doneware:

as many said, encrypted traffic (which seems to be dominating the internet nowadays) is invisible for this vapourware-type features. but similar issues may be coming up with compressed files, or archives with multiple layers of compression. and we barely touched the issue of overlapping fragments what-so-ever, where normally the device just forwards packets as they are, and now we’d expect it to reconstruct the application level payload and do some pattern matching there. this would require more beefier CPUs and a lot more memory - not to mention how this could be mis-used easily by funny guys with 42.zip, gzip memory bomb, and similar decompression bombs.

there are many brand firewalls running this type of feature, for example Juniper’s SRX, but in most cases they only inspect HTTP traffic, and do the inspection based on URL/URI reputation, and not actually scanning the payload [it can be done offline more efficiently]. even if they do payload analysis, to keep a balance between resource requirement and throughput, they most likely employ http trickling, where they do inspection while the traffic is forwarded, which can lead (quoting the original documentation: Warning: When enabling the trickling option, it is important to understand that trickling might send part of the file to the client during the antivirus scan. It is possible that some of the content could be received by the client and the client might become infected before the file is fully scanned.)

there are zillions of ways how to infect a target host, and claiming that network based antivirus is a solution to prevent this from happening is a bold lie. its like wrapping and Sherman/Tiger/T-34 tank into thin foil so it will be even more gunfire-resistant.

so, no, this is just vapourware in all aspects. and no, no traffic forwarding network element should be messing with payload scanning, as they will have no context to fully evaluate whether the content is malicious or not. relying on this as virus protection would be kind of reckless.

Thank you for the beautiful and clear explanation.
So it seems that this is a sales technique based on lies.