Antivirus
-
Hi, should i install antivirus such as ClamAv on my pfSense?
I am going to do this because i did not install antivirus on client
Could you provide me suggestion?
thanks -
@reynold If you install the Squid proxy server package it installs ClamAV for you. It is worth installing to see if it does what you want to achieve.
-
Unless you configure a full MITM (man-in-the-middle) setup to compensate for encrypted traffic such as HTTPS and POP3S/IMAPS (encrypted web traffic and email traffic), an anti-virus scanner on your firewall is close to useless. Scanning encrypted content in SSL web traffic and typical TLS email traffic doesn't work.
You can configure trusted CAs, and manually reconfigure your client web browsers and email clients to trust those custom CAs, but it's a lot of work with many bumps in the road.
Anti-virus protection is much better when deployed on the endpoint clients where encryption is no longer a problem. For example, pretty much all email traffic today is over TLS, so it's encrypted. An anti-virus scanner on your firewall can't look into the attachments of an email message as they flow by due to the encryption. So with no anti-virus protection on your endpoint client, when the user double-clicks that infected attachment on their PC, there is nothing to catch it and stop it.
-
And yes folks... That's why we use pfB instead og a man in the middle set up
Not saying that anti virus protection on the client is useless but pretty bored all day
-
Unless you configure a full MITM (man-in-the-middle) setup to compensate for encrypted traffic such as HTTPS and POP3S/IMAPS (encrypted web traffic and email traffic), an anti-virus scanner on your firewall is close to useless. Scanning encrypted content in SSL web traffic and typical TLS email traffic doesn't work.
You can configure trusted CAs, and manually reconfigure your client web browsers and email clients to trust those custom CAs, but it's a lot of work with many bumps in the road.
Anti-virus protection is much better when deployed on the endpoint clients where encryption is no longer a problem. For example, pretty much all email traffic today is over TLS, so it's encrypted. An anti-virus scanner on your firewall can't look into the attachments of an email message as they flow by due to the encryption. So with no anti-virus protection on your endpoint client, when the user double-clicks that infected attachment on their PC, there is nothing to catch it and stop it.
Thank you, I replaced my old firewall with pfSense. My old firewall had bitdefender, and I noted pfSense does not have antivirus so I tought that I had to install it.
But now i understand that it's pretty useless.
When you talk about full MITM with CA you mean DPI SSL Deep Packet Inspection of SSL traffic?
If yes, I need to install CA on every client.
Is it worth doing it?
I would like to try.
@noplan
What id pfb?
Do you mean pfblocker?Thanks
-
@reynold said in Antivirus:
But now i understand that it's pretty useless]true statement for antiVirus on a firewall only working by a full "man in the middle attack"
Is it worth doing it?
as far as I am concerned NO ... more trouble, more cost for IT and testing, than the costs of the
antiVir product on the client you're trying to replaceDo you mean pfblocker?
yes ... but if you try use the devel version !
brNP
-
I agree with @noplan. The hassle of setting up MITM and putting certs on all the clients (and maintaining the same) is more trouble than simply putting an AV client on the endpoints. If the endpoints are Windows boxes, just use the free Microsoft stuff. And there are certainly many paid options for AV.
A tool like pfBlockerNG-devel can also be helpful, but it requires some care in setting up the lists of IP addresses and domains to be blocked. Just blindly selecting a bunch of "bad IP Lists" to download and use is likely to cause you a lot of grief in the form of stuff breaking (web sites, streaming, etc.). Pick and choose carefully, and monitor things frequently so you can get ahead of any false-positive blocks.
-
Pick and choose carefully, and monitor things frequently so you can get ahead of any false-positive blocks.
yeeeep ... nothing to add here !
and because it's always commin up ... do not start with an IDS/IPS system
start with pfBlocker and keep in mind what @bmeeks mentioned
