Antivirus without Clamav

almi

Hi everyone, I have question about Antivirus, which is the customer want using Antivirus on pfsense without use Clamav?

Please help me, share your experience to this forum guys.

Gertjan

@almi

pfSense is not like your phone or PC where you can download files on, and install programs that you don't trust.
pfSense isn't used by someone who doesn't know sh*t about security, as it's only you. And admin are above all this. They don't download stuff 'on a firewall' if they have are even slightly suspicious about what they download.

So, no need to scan the pfSense 'freebsd' kernel ** for viruses or any php or whatever other files.

When you download on your end-user-device a file, a mail, a webpage, any content from the internet, the 'data', flows through pfSense. But, and here it comes : the data is encrypted with TLS.
One of the basic rules of TLS traffic is : the sender creates that data and crypts it. Only your receiving device will be able to decrypt it. All the other devices on the data path, through which the data flows, your ISP routers, other routers upstream, the cables, wires, radio links, satellite connections, everybody can see the bits but can't make anything out of it.
That is the one and only guarantee for privacy. This is what TLS is all about.
( you did know this, right ? )
You do not want this TLS to be intercepted and 'broken' so they (= you, me, the neighbor, your sister or the president ) can spy on you. If this was possible, the Internet, the world economy, and so on, will be over.

Is there, today, still data flowing through your pfSense that an antivius can 'scan' ?
yep : DNS packets ! So go scan this : "www.facebook.com" ;)
Or the NTP protocol ? => "2024-10-08 12:14:15" ;)
I'm not sure if people still use non TLS traffic for their web visit activities = 'http', these sites don't exist anymore (I think).
Mail , same thing. Nobody retrieves mail anymore using port 110 or 143. It's all TLS these days.

This said, it is possible to do MITM.
To actually do this, you need to really understand what needs to be done, both on pfSense, and on every end-user device implicated.
And the moment it works, you have deal with it constantly, just to maintain the list (sites) that are exceptional == don't allow you to do MITM.

And keep in mind : this isn't simple, because if it was, the CIA, KGB, and all other 3 letter agencies would do just that right now .... and we all presume *** : they can't

** you still doubt ? Good point for you. Go build the kernel yourself, and now you'll be fine.

*** the ones who are not afraid to do some math can proof it to themselves.

Patch

@Gertjan said in Antivirus without Clamav:

CIA, KGB, and all other 3 letter agencies would do just that right now .... and we all presume *** : they can't

Why presume that.
I had assumed the opposite. Most states require the ability to monitor "bad" people and many legislate or other wise obtain back door access (eg covertly require access to encryption codes, hosting trust servers, classified deep packet inspection etc).

While many people agree the ability for states to monitor "bad" people is useful. Where it gets difficult is who is defining what makes someone "bad". The definition varies between regimens with political and religious perspectives.

JonathanLee

Squid Proxy uses ClamAV but it is for the traffic flows and for the web cache, to use it correctly you have to have it configured in SSL intercept mode. It is a resource hog, it works well but for someone who uses 4GB ram you need a swap partition as running Clam AV, Snort, Squid etc consume memory. I use it and yes occasionally it will stop something. But you have to know it’s only because I utilize web caching. I over analyze everything and make reports for weird stuff. Yes it is a lot of work to configure correctly, but if it’s done right it is amazing to see in action.

Back to your question, I can only run Clam and it only scans web traffic and web cache partitions. The is separate from the firewall, the firewall itself had no ability to download anything unless an invasive container got into the web cache, again I have download limits of what it can keep for size ratios. So only for example Windows can have a higher ratio to hold updates for my accelerator use. Yes it does content acceleration with dynamic updates, again you need to configure it so only some trusted sites can hold 5GB updates, the rest should have very small limits. It’s a balance right everything is. The question I would ask is what do you want done. If it is just scan the firewall and you don’t use a web cache, or IPS there really is nothing downloading outside of Netgate updates. Again never say it’s invincible, it’s more like a timed lock of how much effort and time is required to get past the firewall. Don’t ever think stuff is 100 percent secure, nothing is you can go find metasploits all day for vulnerabilities, it’s more how long can it be secure in my eyes. What can I do to make it a more complex puzzle for an attacker.