HTTP Anti-Virus Proxy

Hi All,

Can any one tell me what should be the hardware configuration for configuring HAVP.
There are 250 user in my company, i have configured HAVP on Intel 1.8 GHz with 2GB RAM, antivurus used is AVG free edition.
After configuring havp (Squid-HAVP-Squid) internet access slows down, so i revert back every thing.

Please help me in this regards, thanks in advance.

Regards,
V11683

Hi v11683 and welcome in HAVP forum!

Your hardware should be enough! Have you seen your top status, while havp was running?
I can say, i made the same expirience with running havp in a sandwich, it slows down my requests, but it was acceptable. (I should say, i have no experience with AVG, my favorite is clamav.)
The question is, how much slows down your requests, if you are using havp in sandwich?

The other option is, to configure havp with this schematics: squid -> havp or havp -> squid, where i recommend to take squid -> havp as configuration.

Greetings, karesmakro

Thanks karesmakro for quick reply.
After configuring HAVP in sandwich, the internet access speed was down, which was not acceptable.

Well i will try, the option you suggested, but one query -
"How much clamav is good? I have tested one virus in many antivirus system, and every antivirus detected it except clamav, that's why i used AVG free edition."

Thanks, Vinod

My expirience about clamav is very good. I use it in much network areas without having problems to this day. When you made your tests, was this virus in archive? Did you used havp with your tests? Clamav needs the right options to for e.g. scan archives ...
Another option for clamav which i like is, you can use third party signature from sanesecurity ...
I know about some people, the use more then one virus scanner to protect there network.

What i might find interesting, could you post the relevant part of your squid configuration, which you used for sandwich?
As i said, i used a sandwich for about half a year with minimal loss of speed.

greetings, kare

Hi, Here i am attaching the Configuration file i have used, take a look at it.

I configured HAVP for both AVG as wll clamav, AVG was giving the result, while clamav didn't, even after downloading that perticular zip archieve, and after unzipping and directly scanning the infected file, clamav just saying OK after performing scanning.
For your reference, i tried to check the file downloaded from below link.

http://keygen.us/get.shtml?313152

Thanks, Vinod

My HAVP configuration:


Squid Configuration File

##################################
http_port 3128 transparent
http_port 127.0.0.1:8090

acl HAVP_PORT myport 8090
no_cache deny !HAVP_PORT
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default

always_direct allow SSL_ports
cache_peer_access 127.0.0.1 allow localhost
cache_peer_access localhost allow !SSL_ports
cache_peer_access localhost deny all

never_direct allow !SSL_ports
always_direct allow HAVP_PORT
always_direct deny all

#My ACL List

##################################

HAVP Configuration File

##################################
SERVERNUMBER 15
MAXSERVERS 50
PARENTPROXY 127.0.0.1
PARENTPORT 8090
PORT 8081
MAXSCANSIZE 10000000

##### AVG Socket Scanner

#ENABLEAVG false
ENABLEAVG true

# AVG daemon needs to run on the same server as HAVP
#
# Default:
# AVGSERVER 127.0.0.1
# AVGPORT 55555
##################################

This was my answer from havp about your test site:Access to the page has been denied because the following virus was detected ClamAV: MBL_100185.UNOFFICIAL (description)
This virus was found by third party signature.

Your configuration looks good to me.
Perhaps you should really try to take configuration squid -> havp to speed up your requests.

I have tried earlier to setup squid -> havp, but failed, can u plz send the configuration file.

Good to see that clam has detected it as Virus, Now, how can i integrate "third party signature" with my clamav antivirus.

Thanks, Vinod

Before you change your (sandwich) configuration, please test you old one with:
in havp:

and change squid configuration like my post (next to last thread):
http://havp.hege.li/forum/viewtopic.php?f=3&t=399
Note: this configuration options are for squid 2.6 and higher

squid -> havp configuration should be similar to described one, without PARENTPROXY in havp and the entries for second port of squid.

Third party description could be found on
http://www.sanesecurity.co.uk/clamav/

regards, kare

Have you changed avg.conf numOfDaemons ?

Some scanners free version was limited to only 2 concurrent scans, slowing everything down.. it might have been AVG, can't remember right now..

I have change my antivirus to clamav and also updated the third party signatures, and everything is working fine.

The problem with AVG was unavailability of AVG scan deamons.

Thanks to both for helping me a lot.

Regards,
Vinod

Hi Again,

The HAVP configuration was working fine for last 4 days, but today i am getting the error, clamd scanner not available.

I have checked, clamd service was not running, and as i started the service it gives below error:

service clamd start
Starting clamd: /bin/bash: line 1: 20535 File size limit exceeded/usr/sbin/clamd
[FAILED]


Please help me in this regard.

Thanks, Vinod

Hi,
you have to create a logrotate entry for clamd.log and all is fine!
Log file size could be set by following option in clamd.conf too:

wish a nice weekend.

greetings

I have already set the parameter to 100MB, and current log size of my clamd.log file is about 70MB.

Thanks, Vinod
Happy Weekends.

100MB is a little bit crazy. I recommend you to set this to 10M maximum.
Did you enabled debug mode? 70MB about 4 days is a little bit much!