Your SquidGuard blacklist & Clamav configuration? How to optimize settings?

MrGlasspoole · Feb 17, 2015, 9:26 AM

I did ask that already in another Squid/SquidGuard thread but did not get a response.
So i try it in a separate thread.

Reason for Squid and SquidGuard for me was:
1. That i thought i can speed up websites if i block ads before they reach the clients.
But it seems that Adblock Plus works better.

2. Block ads and tracking for devices like phones, TVs, consoles…

3. Virus protection for phones, TVs, consoles...
But ClamAV really makes websites slow.

I run pfSense in Hyper-V 2012 R2 Core on a 3.6GHz Core i3-4160 and assigned 2GB to pfSense.
I did set:
Squid Memory cache size: 512
Squid Maximum object size in RAM: 128

Hard disk cache is off cause i was reading it does not help if you have fast internet and not much clients (5-10).

I have a 120 MBit/s internet connection and maybe upgrade to 200.

It would be nice to block/prevent:
Virus, Botnet, Malware, Adware, APT, Drive-By Download, Infectious, Espionage, hosts that perform IP tracking for media companies and associations like RIAA/MPAA

Ad the moment i use Malicious, Proxies and the USG Blacklist from squidblacklist.org
Is there a free alternative that is as good as squidblacklist.org or maybe a better one?

What are your clamav/icap configuration?
I'm not sure what files to scan and which not.
Do you scan pictures, videos, icons?

Would be nice to to experience how other handle that stuff.

MrGlasspoole · Mar 14, 2015, 5:02 PM

Really nobody?

I have the problem that for example streamcloud is not working over the proxy.
When videos start to load i get: Error loading media

For example: http://streamcloud.eu/v2egcmf4ojv7/itg-thewalkingdead-s05e11.mkv.html
Whitelisting streamcloud.eu does not help.

KOM · Mar 14, 2015, 6:19 PM

At work I use the Shallalist. It seems to work well enough for a lot of ads, but I think the client blockers like ABP are better. AV on the firewall makes it slow, and that's an area I would leave to the pros like Kaspersky or Eset. So, SquidGuard with ad blocking using Shallalist on the pfSense box, client is responsible for everything else.

darrenkdean · Mar 15, 2015, 12:59 AM

What is your maximum object size?

I am running PFBlocker, Snort, Squid with AV (transparent proxy for both HTTP & HTTPS), Squidguard with Shallalist on an Intel(R) Atom(TM) CPU D2500 @ 1.86GHz (Dual Core) with 4 GB of DDR RAM & a 60GB SSD. We have a 60 Mbps connection & are experiencing no slow down in page rendering or download speeds. Everything is functioning great. Squid proxy local cache settings are below.

These settings are reflective of the fact that we were interested in content filtering & virus scanning, but had very little interest in the proxy itself.

Maximum object size: 4
Memory cache size: 8
Maximum object size in RAM: 32
Memory replacement policy: Heap GDSF

Best-

Darren

MrGlasspoole · Apr 25, 2015, 4:40 PM

@KOM:

I think the client blockers like ABP are better. AV on the firewall makes it slow, and that's an area I would leave to the pros like Kaspersky or Eset.

I also think ABP is better because some sites don't work if you block the ad's and it's easier to temporarily disable ABP in your browser.
The reason for me to use ClamAV was that i want to protect devices where you can't install AV-Software or where i think AV-Software is to much - TVs, consoles, Android…
Everything today is connected to the web...

@darrenkdean:

What is your maximum object size?

My settings with 2GB RAM assigned to pfSense are:
Maximum object size: 4
Memory cache size: 512
Maximum object size in RAM: 128
Memory replacement policy: Heap GDSF

But i think it does not affect ClamAV?
I'm not interested in disk caching but use the RAM cache.
Still not sure if i can increase "Memory cache size" or "Maximum object size in RAM" cause i have problems interpreting this RRD Graph stuff (attachment).

I don't have the overall slowdowns anymore. Only sometimes if i download maybe a rar file.
I cues thats affected by "maxsize" in squidclamav.conf. If the file is bigger than it is not scanned…
The question is what is a good size here? Big files are scanned by the clients so from what small files comes risk that can affect TVs, consoles, Android, phones - if there any?

And the question still is i there is risk from files like pictures, videos, icons?

Does somebody use some of this settings:

# Do not scan images
#abort ^.*\.(ico|gif|png|jpg)$
#abortcontent ^image\/.*$

# Do not scan text files
#abort ^.*\.(css|xml|xsl|js|html|jsp)$
#abortcontent ^text\/.*$
#abortcontent ^application\/x-javascript$

# Do not scan streamed videos
#abortcontent ^video\/x-flv$
#abortcontent ^video\/mp4$

# Do not scan flash files
#abort ^.*\.swf$
#abortcontent ^application\/x-shockwave-flash$

# Do not scan sequence of framed Microsoft Media Server (MMS) data packets
#abortcontent ^.*application\/x-mms-framed.*$

# White list some sites
#whitelist .*\.clamav.net

I also realized i had a problem with the configuration page of one of my wlan access point until i put him to the whitelist.
Is local stuff from my ip range scanned/proxyd?