How to scan network traffic for malware with your existing proxy server and a multiple antivirus engine scanner

John Smits
2013-11-22
2013-11-22
  • John Smits
    John Smits
    2013-11-22

    One way a network or workstation can become infected is by someone unknowingly downloading a malicious file from the internet. While they may think they are downloading an informative article or helpful new tool, there is a risk that it will actually be malicious code. One way to mitigate this risk is to use a proxy server that performs virus scanning of end user downloads using the ICAP protocol.

    Below are steps to help an IT admin set up virus scanning of downloads using ICAP; there are an assortment of proxy servers and virus scanners one can use to accomplish this, but in this example we will use Squid as our proxy server using Metascan ICAP with multiple antivirus engine scanning technologies as our virus scanner.

    Installing Squid

    Prerequisites

    Before we begin, ensure you have gcc, openssl, and libtool libraries installed on your Linux-based system. You can use the package manager (e.g. yum, apt, etc.) that comes with your system to download these tools.

    Download and Install Squid

    Download Squid using wget:
    http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.22.tar.gz
    Extract Squid:
    tar zxvf squid*
    Compile and install Squid with ICAP support
    ./configure --prefix /usr/local/squid --enable-icap-client --enable-ssl --enable-ssl-crtd make && make install
    Configure Squid

    Edit the Squid configuration file: /usr/local/squid/etc/squid.conf

    Modify or add the following Squid directives:

    acl localnet src 10.0.0.0/8
    http_access allow localnet
    http_access allow localhost
    icap_enable on
    icap_send_client_ip on
    icap_service metascan_req reqmod_precache bypass=0 icap://metascan.example.com:1344/OMSScanReq-AV
    adaptation_access metascan_req allow all
    icap_service metascan_resp respmod_precache bypass=0 icap://metascan.example.com:1344/OMScanReq-AV
    adaptation_access metascan_resp allow all
    visibile_hostname squid.example.com

    Change acl localnet src 10.0.0.0/8 so that it matches your network configuration. You can have multiple entries of this directive.
    Change metascan.example.com:1344/OMSScanReq-AV to their respective reqmod and respmod of your ICAP server.
    Change squid.example.com to the hostname of your proxy server.
    Start the Service

    Finally we can start the proxy by running the following command:

    /usr/local/squid/sbin/squid

    Using Your Proxy

    Now that the proxy server is up and running we need to tell our endpoints to direct traffic to the proxy server.

    For Windows Computers

    We need to make our browsers use a proxy for internet connections. You can do this by following the steps below. You can also do this via Active Directory Group Policy.

    Open Control Panel
    Open Internet Options
    Go to the Connections tab
    Click the LAN settings button
    Check the Use a proxy server for your LAN box
    Enter your proxy server's IP/hostname for the Address
    Enter the port for your proxy server. Squid uses 3128.
    Check the Bypass proxy for local addresses box
    Click Ok

    Time to test and see if it works. Open up your web browser and go to: http://www.eicar.org/download/eicar.com.txt. If you see the following page it means your antivirus scanner has detected a threat on that page.

    Congratulations! You are now using a Squid proxy to scan all web-based downloads with multiple malware scanning engines with Metascan ICAP support.

    Performance

    You might think you need two very powerful hosts to run these Proxy and Metascan ICAP services. Not true! Our two servers each have an Intel Xeon E5410 CPU (4 physical cores at 2.33 GHz). The proxy server has 8GB of RAM and the Metascan 4 server has 16GB of RAM. That’s about the equivalent of a new desktop nowadays, bought from your neighborhood BestBuy or Costco. We have about 50 users using the Proxy every day and the CPU load averages only 5% and memory usage averages 50%. The Metascan 4 server’s CPU load averages 20% and memory usage averages 13%. What we’re saying is you don’t need two expensive powerhouse servers to run this system. You can run Metascan ICAP with a proxy with a low budget and little IT overhead.

    The image below is a performance test we performed to show the file download speed of a computer with a proxy server, a proxy server in conjunction with Metascan ICAP and without a proxy server.