Squid Proxy and antivirus update questions

JonathanLee

Hello fellow Netgate community members,

I have fully completed hardware and software convergence, this official Netgate firewall runs great.

System runs Snort IPS IDS, Squid Proxy, Content accelerator, SSL certificates are issued to all devices, URL guard is functional, WPAD, full ACL list, NTP is NATed DNS requests are encrypted, SMTP will only pull from approved servers that the firewall lists in aliases, this does run dynamic caches of Windows updates and will reply them to other Windows 10 systems that need them, I have tested clamAV it will catch viruses sometimes and shows in logs, and lightsquid will run reports.

I can not thank you enough to all the community members that have supported this firewall and helping me with my cyber security knowledge while I completed my degree.

I have one small question, I have noticed with ClamAV updates. I have mine set to 1 every 8 hours, sometimes it fails and says socket refused every so often and will autorecover next update. Is that something that requires more investigation?

DaddyGo

@jonathanlee said in Squid Proxy and antivirus update questions:

I have one small question, I have noticed with ClamAV updates. I have mine set to 1 every 8 hours, sometimes it fails and says socket refused every so often and will autorecover next update. Is that something that requires more investigation?

Hi,

In general, ClamAV (update) server sockets are time and request number-limited, to avoid overloading due to a large number of queries...
(I can't remember the exact value, but google will tell you)

BTW:
On Ubuntu Focal, I request one update a day and it works fine.
Anyway, ClamAV can only scan HTTP traffic on the firewall, so it doesn't make much sense to update constantly, since the world is slowly becoming https

JonathanLee

@daddygo

Thanks for the reply,

I have SSL intercept running with security certificates installed on all the devices. Again you are correct in I was only able to catch the test virus on HTTP. My update is set to once every 8 hours only. Will the antivirus package ever update to include HTTPS? I was under the impression once the local catch was running with SSL certificates it would scan HTTPS however it never adapted to that, it still only scans http.

It will block HTTPS with Squid Guard also.

Do you recommend lowering it to one update over 24 hours?

DaddyGo

@jonathanlee said in Squid Proxy and antivirus update questions:

Will the antivirus package ever update to include HTTPS?

that would be a big problem, because it would mean that https has been hacked...

Squid, -scans packages with an intermediate certificate for https....

so in this form and with this installation "c-icap" will not see the inside of https packets in ClamAV

JonathanLee

@daddygo Could I not hand the firewall SSL certificate to the ClamAV antivirus software that is installed on the firewall's proxy? It seems like all it would need is an approved SSL certificate. Technically the HTTPS encryption ends at my firewall and the firewall starts issuing approved certificates similar to Palo Alto. The antivirus signatures are already loaded on the firewall so it would just perform the normal scans based on what signatures are loaded.

I will have to research more on the custom options listed on c-icap.

DaddyGo

@jonathanlee said in Squid Proxy and antivirus update questions:

Could I not hand the firewall SSL certificate to the ClamAV antivirus software that is installed on the firewall's proxy?

ClamAV uses this when investigating "c-icap" since this is http proxy, https is not an option...

By the way, many people fall in love with this option Squid - ClamAV, but I'll tell you that AV stuff running on firewalls doesn't make sense...

In this very dangerous IT world, host AV is the only solution, as it scans the traffic within the network, often the devil is not coming from the internet, but from the neighbour's machine with a pendrive, etc.

+++edit:

*"c-icap is an implementation of an ICAP server. It can be used with HTTP proxies that support the ICAP protocol to implement content adaptation and filtering services.

Most of the commercial HTTP proxies must support the ICAP protocol. The open source Squid 3.x proxy server supports it."* - from http://c-icap.sourceforge.net/