How to Set Up an HTTP Anti-Virus Proxy Using pfSense and HAVP
In this hub I'll be demonstrating how to configure a pfSense router to function as an anti-virus proxy using the HAVP package.
Anti-virus proxies act like traditional web proxies except they scan all content passing through the proxy for virus or malware signatures. If the proxy identifies the content as malicious the download will be blocked and the client computer will be redirected to an error page.
The biggest advantage of scanning for viruses directly on the router or gateway is that viruses can be blocked before they ever enter your network. This feature is especially useful for public networks or wireless hotspots or other situations where you can't be sure all computers have an antivirus application installed.
Even though my computers all have antivirus programs installed I like to add another layer of protection to my network, HAVP works great for this.
Prerequisites for HAVP
Installing the HAVP Package
To get started you'll need to install the HAVP package. Click on the packages menu item in the system menu to load the pfSense package manager. Locate the HAVP package and click the plus symbol on the right side of the package description to install it.
Once you have installed HAVP there are a few settings that need to be changed before it will function properly. Click on the antivirus entry in the services menu to access the HAVP settings.
Next click on the HTTP proxy tab and check the first check box to enable the proxy. For the proxy mode setting select parent for squid. By setting squid as the parent proxy traffic will flow as indicated below
Client <-> pfSense Gateway <-> Squid Proxy <-> HAVP <-> Internet
Make sure the proxy interface is set to LAN, the default port number will work fine. You will probably need to change the language setting since English is not the default. The language you choose affects what language the client error messages will be displayed in.
Next scroll all the way down to the bottom and click the save button.
Automatic Definition Updates
To enable automatic updates of the virus definitions click on the settings tab. I recommend setting the AV base update to occur every 24 hours. If you're really paranoid of zero day threats you can set the updates to occur more often although you will be using more of your internet bandwidth if you do.
It's also a good idea to choose a regional download mirror that is located near you, selecting a close mirror will allow the definitions to download much quicker.
If your having trouble downloading updates you can enable logging to help figure out what the problem is.
Checking the Status of the Services
At this point HAVP should be up and running. I like to check the status just to make sure all of the services started and the definition file was downloaded. On the HAVP general page you should see green arrows next to both the proxy service and the antivirus server.
In the version field you should see ClamAV followed by the date of the virus definition file you are using. If the file is out of date go to the settings tab and click the Update_AV button to manually start the update process.
Testing Virus Detection
If you want to see what your users will experience when they attempt to download a virus you can download the EICAR virus test file from eicar.org.
The test file is not an actual virus, the file contains a standardized signature that is used to test antivirus software.
If HAVP is working properly then you should be redirected to a page with an access denied message. If you don't see the warning page go back and check the status of the services on the main HAVP settings page.
Customizing the Error Pages
To give your error pages a more professional look I recommend customizing the HTML pages, or even replacing them entirely. You can add your company name and logo, contact information for your IT department, or any other information that you think might be useful.
The HTML files for the default pages are located in /usr/local/share/examples/havp/templates. You can edit these files directly by connecting to the console with SSH, or you can use WinSCP to copy the files to another machine, edit them, and then replace the existing files.
Within the templates directory there is a folder for each of the supported languages. The language you select on the settings page will determine which HTML files will be used.
If you do decide to use your own HTML files you still need to use the same file names.
© 2011 Sam Kear
More by this Author
The Snort package allows you to turn a pfSense firewall into a powerful network intrusion detection system. Learn how to set it up here.
By default the Squid Proxy has no visibility of encrypted HTTPS traffic. Enabling HTTPS interception will allow you to monitor and log encrypted web traffic passing through the Squid proxy server.
Heavy bandwidth users can slow down your entire network. This hub will show you how to use pfSense to set up traffic shaping to prioritize internet traffic.