HTTPS and HTTP with EICAR site?



  • Hello,

    I have 2.2.4 setup in a KVM environment (Squid and Squidguard in a transparent proxy setup without authentication). I have hardware performing SSL break and inspect (A10 Networks Thunder 1030S). I can successfully browse to http sites, and when I browse to https sites the SSL session is inspected and passed to the pfsense. When I visit 'black list sites' they are blocked. Victory…well not really.

    When I visit www.eicar.org and attempt to download the 'malware' using http clamav provides the requisite 'error' message; however, when I use https to download the 'malware' clamav does not inspect the download. What am I missing? Help.

    Thanks,

    James



  • SSL inspection in Squid, on which clamav relies.



  • Im no expert, but I was just testing clamav out on this. Im guessing traffic is passed from your A10 to pfsense "re-encrypted"? If so, clamav needs it to be decrypted to scan the https, so you'd have to use Squid's MITM feature to scan the https.

    Someone with more expertise can chime in here..



  • I checked and it is passing decrypted traffic. Has anyone tried to the perform SSL break and inspect with pfsense without using the native SSL MITM capability? Do I need to configure it with ICAP?