CheckStat

Cyber Resistance

Information Security Blog

PfSense HTTP AntiVirus Proxy

HTTP AntiVirus proxy (HAVP) is a proxy with an anti-virus filter. it does not cache or filter content, but completely scans incoming traffic while doing a virus check. The main objectives of HAVP are: continuous and non-blocking downloads, and smooth scanning of dynamic and password protected home pages.

HAVP’s virus check works by writing data from a server in a temporary file and hard locks the end of a file. A second fork begins scanning all written data. During this time, the data is sent to the client. You can define the size of data which is held back and only deliver it to the client when scanning is complete. This way, scanning starts simultaneously with the download. If the scanning process is too slow and the file is larger than the defined “hold back data”, you can still receive a virus. Moreover, if the file contains a virus and the file is bigger than the defined “hold back data” buffer size, the download will be canceled without warning.

pfsense_havp02

 

Virus Check with HTTP AntiVirus Proxy: Installation and Configuration

Like all packages, installation of the HAVP virus check package is fairly easy. Just navigate to System -> Packages and scroll down to HAVP antivirus. Press the “plus” button to the right of the listing, and on the next page, click on the “Confirm” button. Installation of HAVP antivirus will take a few minutes.

Once HAVP antivirus is installed, there will be a new item on the “Services” menu called “Antivirus“. There are three available tabs: “General Page“, “HTTP Proxy“, and “Settings“, containing relevant settings for the HAVP virus check. If you click on the “Settings” tab, you will find several parameters relevant to HAVP antivirus configuration. The “AV base update” dropdown box defines at what interval the antivirus database will update itself. You can update at intervals between 1 and 24 hours. The “Regional AV database update mirror” dropdown box allows you to select the location of the update server. You can specify additional servers in the “Optional AV database update servers” box. The “Log” check box allows you to enable logging; the “SysLog” check box enables the SysLog.

The second tab is “HTTP proxy“. Checking the “Enable” check box here enables the HTTP proxy to perform a virus check. The next setting is the “Proxy mode” dropdown box. If you select “Standard“, clients will bind to the proxy port on the proxy interface. But if you choose “Parent for Squid“, then HAVP will insert itself between the Squid proxy and the WAN interface (Internet). If you have the Squid proxy installed, you probably want to choose this option. “Transparent” causes HAVP to act as a parent for Squid with a transparent Squid proxy, while “Internal” causes HAVP to listen on the loopback on the configured proxy port.

“Proxy interface(s)” allows you to select one or more interfaces for client connections to the proxy. Normally, clients will be connecting through the LAN interface, so you probably want to leave only “LAN” selected. “Proxy port” allows you to select the port the proxy server will listen on. The port must be different than the Squid proxy port. You can probably leave it as the default of 3125. Moving further down the page, you probably want to change the “Language” in which the proxy server will display error messages to users.

pfsense_havp03

Most of the remaining “HTTP proxy” settings can remain unchanged, but a few are worth noting. “Max download size” allows you to enter a value (in bytes) of the maximum file download size. But be warned: downloads larger than this size will be blocked if not whitelisted. “Whitelist” allows you to specify URLs that will be accessible to users without scanning, while “Blacklist” allows you to specify URLs that will be blocked. “Enable RAM Disk” allows you to use a RAM disk for HAVP temporary files for a quicker traffic scan in virus checking. The RAM disk size will be either 25 percent of the available system memory or 100 times the maximum scan file size, whichever is greater. “Scan max file size” allows you to select the maximum file size or not set a maximum file size at all. If you set a maximum file size, then file sizes larger than the limit won’t be scanned, so there is a security risk involved in setting this parameter. The “Scan images” check box allows you to scan image files, and “Scan media stream” allows you to scan audio/video streams. The “Log” check box enables logging.

Once you are done configuring the settings, press the “Save” button at the bottom of the page to save the settings. In order to ensure the HAVP virus check is working correctly, you probably should download the EICAR virus test file from eicar.org. The test file is not an actual virus, but contains a standardized signature that is used to test antivirus programs. If the HAVP virus check is working properly, you should be redirected to a page with an access denied message.

If you click on the “General Page” tab, you can see the HAVP dashboard. You will be able to see which services are started, the update status and scanner status, and which if any viruses have been found.

One additional caveat is that HAVP requires a fair amount of memory to work, and if it is enabled on pfSense systems that are towards the low end of pfSense’s memory requirements (e.g. 256 MB), pfSense may become slow and unresponsive. Ideally you should have at least 1 GB of RAM if you are running HAVP.

Leave a Reply

Your email address will not be published. Required fields are marked *

Cyber Resistance © 2017 Frontier Theme