In association with heise online

Cascade

In addition to ClamAV and AVG, HAVP also supports the Linux versions of products from such vendors as Avast, F-Prot, Sophos, Kaspersky and Trend Micro. Although private users can obtain free scanners from Avast and F-Prot, these are desktop exclusives which don't work so well with HAVP. The proxy expects that a scanner either supports the clamlib library, or it accepts data on a local network port or it listens on what is called a Unix domain or IPC socket; however, Avast, F-Prot, Sophos, Kaspersky and Trend Micro only support this in their commercial products, for instance in those for email gateways.

On-demand scanners by Avast and F-Prot could potentially be coupled with a domain socket through another program. The program would have to accept the commands sent by HAVP through to a scanner socket and feed them to a specific on-demand scanner. Avast, for instance, has released the set of commands supported by its scanners here. The program would then return the scan results to HAVP through the scanner socket.

The higher the number of virus scanners searching for malware, the greater their pressure on system resources; however, this shouldn't present a problem, as many server systems only run a web server or a file server such as Samba. The developer of HAVP, Christian Hilgers, also says that scanning times don't increase when using multiple virus scanners because the scanning processes run in parallel and browser requests are shared across several proxy processes.

Fine tuning and limitations

HAVP doesn't currently support https connections, which means that it doesn't inspect encrypted connections to look for malware transmissions. Luckily, trojans and viruses have so far only been transmitted via secure SSL connections in special circumstances. Neither does HAVP serve as a web cache; if this is required, you can link HAVP to a Squid caching proxy. HAVP does, however, offer various configuration options, and its configuration file is made self-explanatory by a comprehensive set of comments.

Furthermore, HAVP can be used as a transparent proxy, meaning that it will also filter the http traffic of browsers which don't include a proxy in their connection settings. In this case, however, HAVP must operate on a router system on the network edge where an iptables or similar rule diverts the incoming web traffic from port 80 to port 8080. Samples of the required iptables rules are available in various places. To enable this configuration, the TRANSPARENT option in havp.config needs to be set to true.

HAVP supports URL blacklisting, which could, for example, be used for implementing a rudimentary parental control filter in a home network. HAVP also has settings to determine maximum file sizes, maximum keep-back buffers and whether to scan images; these allow users to iron out browsing glitches which may occur because of the way HAVP reads a set of data before handing it over to the browser. This can sometimes cause ugly delays on sites such as YouTube. As an alternative, a site such as YouTube can be entered in HAVP's whitelist of sites which excludes responses by that site from being scanned. While this may decrease potential latencies, it does also slightly increase the risks.

If you want HAVP to alert you that a virus or DNS error has been detected in a language other than English, the process is simple. For example, to display alerts in German change the TEMPLATEPATH variable to /etc/havp/templates/de in the configuration file. The templates stored there can be customised to display the desired content in the desired form.

While HAVP considerably improves defences against malware from the web, it isn't a miracle cure because it ultimately relies on the AV vendors' signature updates, and these are becoming increasingly problematic. Therefore, the first commandment of the internet remains the same: keep all your (web) applications current and keep your eyes open when surfing the net.

(dab)

Print Version | Permalink: http://h-online.com/-1071574
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit