Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.
In this hub I'll be demonstrating how to configure a pfSense router to function as an anti-virus proxy using the HAVP package.
Anti-virus proxies act like traditional web proxies except they scan all content passing through the proxy for virus or malware signatures. If the proxy identifies the content as malicious the download will be blocked and the client computer will be redirected to an error page.
The biggest advantage of scanning for viruses directly on the router or gateway is that viruses can be blocked before they ever enter your network. This feature is especially useful for public networks or wireless hotspots or other situations where you can't be sure all computers have an antivirus application installed.
Even though my computers all have antivirus programs installed I like to add another layer of protection to my network, HAVP works great for this.
Prerequisites for HAVP
If you've never installed pfSense before check out the guide how to install pfSense.
In order to get the HAVP package working you need to already have a functioning transparent squid proxy running on pfSense.
Installing the HAVP Package
To get started you'll need to install the HAVP package. Click on the packages menu item in the system menu to load the pfSense package manager. Locate the HAVP package and click the plus symbol on the right side of the package description to install it.
Once you have installed HAVP there are a few settings that need to be changed before it will function properly. Click on the antivirus entry in the services menu to access the HAVP settings.
Next click on the HTTP proxy tab and check the first check box to enable the proxy. For the proxy mode setting select parent for squid. By setting squid as the parent proxy traffic will flow as indicated below
Client <-> pfSense Gateway <-> Squid Proxy <-> HAVP <-> Internet
Make sure the proxy interface is set to LAN, the default port number will work fine. You will probably need to change the language setting since English is not the default. The language you choose affects what language the client error messages will be displayed in.
Next scroll all the way down to the bottom and click the save button.
Automatic Definition Updates
To enable automatic updates of the virus definitions click on the settings tab. I recommend setting the AV base update to occur every 24 hours. If you're really paranoid of zero day threats you can set the updates to occur more often although you will be using more of your internet bandwidth if you do.
It's also a good idea to choose a regional download mirror that is located near you, selecting a close mirror will allow the definitions to download much quicker.
If your having trouble downloading updates you can enable logging to help figure out what the problem is.
Checking the Status of the Services
At this point HAVP should be up and running. I like to check the status just to make sure all of the services started and the definition file was downloaded. On the HAVP general page you should see green arrows next to both the proxy service and the antivirus server.
In the version field you should see ClamAV followed by the date of the virus definition file you are using. If the file is out of date go to the settings tab and click the Update_AV button to manually start the update process.
Testing Virus Detection
If you want to see what your users will experience when they attempt to download a virus you can download the EICAR virus test file from eicar.org.
The test file is not an actual virus, the file contains a standardized signature that is used to test antivirus software.
If HAVP is working properly then you should be redirected to a page with an access denied message. If you don't see the warning page go back and check the status of the services on the main HAVP settings page.
Customizing the Error Pages
To give your error pages a more professional look I recommend customizing the HTML pages, or even replacing them entirely. You can add your company name and logo, contact information for your IT department, or any other information that you think might be useful.
The HTML files for the default pages are located in /usr/local/share/examples/havp/templates. You can edit these files directly by connecting to the console with SSH, or you can use WinSCP to copy the files to another machine, edit them, and then replace the existing files.
Within the templates directory there is a folder for each of the supported languages. The language you select on the settings page will determine which HTML files will be used.
If you do decide to use your own HTML files you still need to use the same file names.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2011 Sam Kear
ada4u on December 25, 2018:
also, this method only works for http plain connections, not for https
Sam Kear (author) from Kansas City on May 25, 2016:
The HAVP package is not present in pfSense 2.3. Antivirus support is now integrated in the Squid proxy server package via C-ICAP.
After installing Squid you'll notice there is an Antivirus tab in the Squid service settings package. This allows you to enable ClamAV antivirus scanning through the proxy.
Ben on May 25, 2016:
HAVP not listed in available updates on my pf system, there are however other packages showing available that is not shown on that screenshot... strange.
mrcharles on February 25, 2016:
Thank you very much for the writeup.
I have a problem, i followed your guide to setup Squid and HAVP, unfortunately, the HAVP Service remains stopped and when i check the logs i get the error below, kindly support me:
php-fpm: /antivirus.php: HAVP: RAMDisk not used. Diagnostic: system MB, available MB, calculated MB. Try reducing 'MAXSCANSIZE' value.
akinti kole on June 18, 2015:
Hi. Thanks for the information provided. I was able to installed the HAVP successful but after some minutes of installations, it disconnect itself and an error read " read only/file/http/havp/" . Please what should do?
zon on January 18, 2015:
Its old look at the date in the picture.
Francois on November 09, 2013:
I like your solution. Its light, simple and efficient.
However, on my side, I never managed to install HAVP on my alix 2d13 (235MB of RAM available). Whatever the version of pfSense (2.0, 2.0.3, 2.1), I always had some bug (swap space, read-only /var, fresh clam bug, etc.).
Do you know if it exists compact-flash image of pfSense with pre-installed HAVP ?
karanik on August 07, 2013:
I have problem with that. After seconds stop squid service.
What is wrong ?