HAVP + ClamAV: some thoughts on setting it up



  • For those of you who have been clamoring for an Antivirus solution for pfSense, the HAVP package is at least part of the solution.  HAVP is a virus-scanning HTTP proxy which uses ClamAV as its scanning engine.  Please note, this is ONLY for scanning HTTP traffic so those of you who want to scan any and all packets traversing your pfSense box, you're out of luck (and frankly, you're being unreasonable).

    The HAVP package is listed as broken right now because there are some issues with the GUI that make configuration a little difficult.  If, you're willing to read the documentation on HAVP and manually edit the configuration file stored in /usr/local/etc/havp/ then you can get this tool up and working at least in a limited way.  Until we're able to correct the issues with the GUI, I don't recommend trying to get transparent mode working with HAVP.

    If you want to set up HAVP, a couple of things will be helpful to take into consideration.  The number of HAVP processes to run depend entirely on your network and your users.  I've been using squid+squidGuard for a long while and so I used a similar metric for HAVP processes that I've used with squidGuard redirectors.  For well-behaved workstations, allow approximately 5 HTTP connections per workstation.  If you allow your users to install garbage like WeatherBug, then not only should you have scorn heaped upon your head, but you should expect something more like 10-15 HTTP connections per workstation.  With that metric in mind, I initially set up 300 HAVP processes with a maximum number of servers set at 500.  My feelings were that each processes would handle exactly 1 HTTP connection.  In retrospect, this was probably overkill for my network, but I had memory to spare on my pfSense boxes, so this wasn't a real problem.  Expect HAVP to use up a lot of memory and plan ahead.

    As I said before, the GUI is broken and since I was merely testing this package so I didn't bother with transparent mode.  I had HAVP bind to my LAN interface on port 8080 and then manually configured HTTP proxy settings in a pool of workstations.  This solution works pretty well, although as a cautionary tale for anyone pushing out these configurations via an Active Directory Group Policy: ensure that you are not configuring your clients to use HAVP as an SSL proxy, or you'll break all SSL connections out of your network.  Also remember that other programs can benefit from using HAVP as a virus scanning proxy.  Specifically, many Instant Messenging programs allow you to configure HTTP proxy settings, which they will then use.  I can speak to the effectiveness of this with Yahoo Instant Messenger, and would be interested to see who else works this way.

    So far HAVP works exactly as advertised and I haven't noticed any real problems with web traffic except breakages with certain websites that have embedded video.  I suspect that whitelisting sites like this, assuming you want to allow them, will solve this problem, although I haven't messed around with this functionality yet.  Anyone else with input should post to this thread.



  • Thanks submicron for this post. The Transparent part does not work yet, as the necessery pf rules are not yet done. I am working on that. Another problem with the current configuration is  that the if HAVP listens on wan inteface, the pfsense essentially becomes an open proxy. So please do configure HAVP to run on lan interface.  There are some more knobs that can be twaked in HAVP configuration which I am planning to add to the config page.

    You might also want to install clamav package first and then havp package. similarly while removing remove havp first then clamav. I have not yet figured out how to enfore this dependency rule with pfsense packaging.

    One moresubtle issue that cameup while I was working on this is to find a reliable way to remove the crontab entry for freshclam when clamav is removed. So you will have to manually remove the freshclam entry from crontab after un installing clamav.

    regards,

    raj



  • For those of you who want to utilize the blacklist/whitelist features, it works like a simple REGEX.  For instance, you can input a specific domain.com and the blacklist or whitelist will only affect specifically domain.com.  You can do *.domain.com to affect not just domain.com but www.domain.com and ftp.domain.com as well.

    Again, a cautionary note:  The rc script for starting and stopping HAVP is a little braindead.  I'm putting hacking together a more helpful one and will submit it to the author shortly.



  • Thanks Submicron!

    raj



  • Updated HAVP, works with current ClamAV package. Should hit CVS any time now.

    raj


Log in to reply