Anti-virus / anti-malware without proxy
-
Hello, i'm coming from the sonicwall world, so bare with me, I've been reading on having some sort of antovirus/malware filtering done on my pfsense, but everything i've seen uses squid and I have to configure my pc's proxy for use, is there a way to just have anti virus/malware enabled wihout having to change the computers on the lan ? With the sonicwall it was as simple as clicking a button doing some config on what needed to be scanned and if i wanted a landing page saying the file is or site is infected and voila
Such a thing on pfsense ?
-
@pjaneiro Snort or Suricata may help with that to some degree but the only true AV package is ClamAV which is part of squid, but it's not exactly state of the art.
-
Unless you decrypt SSL (https) traffic on the firewall, how can an AV client scan anything and produce a meaningful result? If the datastream is encrypted (which nearly all web traffic is today), antivirus clients on the firewall, and even products such as Snort and Suricata, are severely limited since they can't "see" the encrypted payload content.
AV clients are, in my opinion, best deployed on endpoints such as PCs and Servers. As I've repeated many times here on the forum, end-to-end encryption is neutering IDS/IPS and virus scanning on perimeter security devices. The only exception is when you use MITM (Man-In-The-Middle) techniques to break the SSL chain. These techniques all come with their own unique headaches, though.
-
Consider :
@bmeeks said in Anti-virus / anti-malware without proxy:
Unless you decrypt SSL (https) traffic on the firewall, how can an AV client scan anything and produce a meaningful result?
So, how can :
@pjaneiro said in Anti-virus / anti-malware without proxy:
With the sonicwall it was as simple as clicking a button doing some config on what needed to be scanned and if i wanted a landing page saying the file is or site is infected and voila
Is Sonicwall using something comparable to what does pfBlokcerNG ?
That's 'just' DNS and IP filtering.
There are browser out there that do use their own DNS with DOT tricks, so they even do not use the local DNS (pfSense).
An then there are even admins that hand over "8.8.8.8" as the DNS for every LAN client ..... so they even do not use the local DNS (pfSense).What's finally left is : a list with 'known' bad IP's - just like in the dark ages. ( and now enter IPv6 ... there is not enough RAM on planet earth to make these lists )
And bare with me, never used Sonicwall , so I should keep my mouth shut ...
Still, Im sure : "Sonicwall " can't break TLS. As people can't survive without oxygen.
Or : Sonicwall has a click-of-a-button MITM trick ? -
Thanks for the reply, all the pc's have eset installed and malwarebytes, my reasoning for wanting what sonicwall has is that often when my users were to download a wetransfer file or a link that was inserted in an email that contained a trojan or whatever, sonicwall would display a landing page saying that their file was infected with such and such and the download was cancelled
the file would never get the chance to hit the pc, i'm sure eset or malwarebytes would get it, but it's just an extra security and peace of mind
-
Sonicwall has their own lists maintained by them, I know that with the pfsense i am currently getting numerous false positves
I've been habing users complaining about no longer receiving emails, when i check my logs, i indeed get connection refused, what's odd is that let's say a someone external sent an email to 6 users within my org, some will pass some not, yet, the email comes from the same sender at the same time...
so for the moment i stopped pfblocker
the only list i am using is the Abuse Feodo Tracker
-
@pjaneiro said in Anti-virus / anti-malware without proxy:
I've been habing users complaining about no longer receiving emails, when i check my logs, i indeed get connection refused, what's odd is that let's say a someone external sent an email to 6 users within my org, some will pass some not, yet, the email comes from the same sender at the same time...
so for the moment i stopped pfblockerDo you have mail servers 'behind' pfSense ??
Or do these mail addresses belong to ordinary mail servers like gmail, yahoo, hotmail, their ISP mail and everybody else ?
pfSense, pfBlocker does not block the DNS => IP of these servers.
That is, I really presume that you did not chose a DNSBL list with these mail servers listed (idea : you shouldn't).Just for the records : no one receives mail on it's device : the device uses a mail app that pulls mail out of the mail box. This 'box' is situated at the mail server.
Or they use a web access.
Some apps, like gmail, actually 'pol' the server regularly, or even keep a connection open all the time, so they can get notified when new mail arrives in the box. It gives you the impression the mail is 'pushed' to you.Keep in mind : pfBlocker, by itself, does nothing. It's the 'admin' like me and you that proposed pick lists, and these lists are often created and maintained by guys like you or me, or worse, my son, who also adds everything he can find concerning tictoc facebook chatsnap. His list is not appreciated by everybody.
There is not something as a perfect DNSBL list : it all depends your needs. The hunt for false positives is always open, as you've noticed.When you do not receive a mail, this means it didn't show in the mail box. This means it never arrived, or the mail server discard it.
A user non being able to connect to his mail box is not a 'mail' issue.
If POP or IMAP doesn't work, have them using their web access.
( and mean while you note down the IP of that user on your network, check the pfBlockerNG logs, and remove quickly the feed your using that's blocking legit mail servers addresses ... ;) )i indeed get connection refused
From who ? The mail server ? In that case it issue is not your issue.
-
The mail server (exchange 2019) is behind pfsense,
the way it's setup, my mx is pointing at duo circle (primary scannig and queue in case of server failure) then it sends it to my exchange server
if i enable pfblocker duocircle gives me connection refused (network erre) on numerous emails, the odd part is......... the same IP on the pfblocker will show as pass or fail, I do not use dnsbl, just ip
In my pf logs when i do add that ip to my pass list the emails coming from that ip flow through
problem is.....There's a sh**** load of them....
I know.... gotta do it
