Tuesday, February 12, 2013

PFsense HVAP anti-virus for HTTP

In this post, I will explain the HVAP anti-virus pkgs

Details
Pfsense 2.0.1 release
FreeBSD8.1

The HVAP stands for  HTTP antivirus protection. It's a pkg available from the pkg maintainers of Pfsense.

http://www.pfsense.org/

Pfsense is a well write &  maintain  opensource firewall that runs on most x86 platforms. It has a host of supported nics, hardware, & cpu.


It's not gear'd to replace a cisco ASA5550 or  Juniper MX80, but it does a great job for a free opensource solution. In most SOHO/SMB outfits, they can save a fortune if they would invest into opensource networking  such as vyatta or pfsense.

The HVAP is a package that's easy to install and setup. I mean  you can do this in about 10mins.

1st get the package, System > package > Available Packages




2nd after the package has installed, your configuration starts under Services Antivirus;



3rd imho

I think this is the best approach for setting up HVAP; you want to setup up AV database refresh and options first. Here you can select the regional ClamAV source and the time interval for refreshing you AVsignatures. 

I picked  US and with a interval of every 2 hours.




 Depending on your security policy, you can increase or decrease that interval.

 
4th

We now configured the HTTP proxy. You can use configured a static-proxy as in the http.client needs to be address for the proxy , or you can deploy a transparent-proxy. If you do static-proxy, please set a firewall policy to only allow traffic to the proxy,  so the http.clients can't bypass the proxy







note: don't forget to click the enable box




5th we start  both the AV and HVAPd process. Be patience and make sure you give it some time to start.








6th once started ,  you can monitor the logs and  the enable start buttons should reflect that you have the option now to stop the process.



Finally to test this, use your  http client web-browser or wget/curl  and grab these links;

http://www.eicar.org/download/eicar.com.txt
http://www.f-secure.com/virus-info/eicar.com

and



You might want to enable logging for a few days to confirm all is working correctly.



I hope this been helpful

Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed dot com



No comments:

Post a Comment