Using the HAVP anti-virus proxy to protect from web attacks - The H Secu... http://www.h-online.com/security/features/Using-the-HAVP-anti-virus-pr...

6 September 2010, 12:24

Using the HAVP anti-virus proxy to protect from web attacks

by Daniel Bachfeld
The free HAVP proxy, combined with free virus scanners for Linux, reduces the risk of falling prey to attacks when browsing the internet
on a Windows PC. If you already have a Linux server, protection is only a few steps away.

When people say "two heads are better than one", they mean that one shouldn't handle critical tasks alone. This is also true for virus scanners; the
greater the variety of scanners that examine a file or other internet content, the greater the chance of detecting a potential infection. However, it isn't
a good idea to install and simultaneously run products by different vendors on a Windows system, because the products tend to interfere with each
other and can even make a system unusable. A more appropriate solution is to externalise additional virus scans, for instance by using a separate
virus scanner for the file server. A web proxy with integrated virus scanner can offer further protection, particularly for the PCs in a home network or
small corporate network.

HTTP Anti-Virus Proxy[1] (HAVP) is such a proxy, and it supports the integration of multiple parallel scanners including those that are completely
free or available to home users free of charge. It only takes a few steps to have HAVP and additional scanners installed and ready for action on a
current system such as Ubuntu 10.04[2].

The proxy goes between the web browser and the web server and initially deposits the transmitted data in a file on the hard disk. Then, HAVP
submits the file path to the configured virus scanners and evaluates their analyses. If a virus is found, a preset virus warning is displayed instead of
the requested web page or downloaded file.

Current versions of HAVP and the free ClamAV[3] virus scanner are already available in the Ubuntu repositories, and the packages can also be
found in the repositories of other Linux distributions such as Debian and Mandriva. openSUSE and Fedora don't offer a complete HAVP package, so
the users of these distributions need to compile the source code themselves and then install the files manually.

In Ubuntu, ClamAV can simply be installed by opening a terminal and entering sudo apt-get install clamav and then manually running sudo
freshclam once to update the signatures. Doing this means that the current signatures become available immediately; the service will download
signature updates automatically once a day from then on. For the next step, install HAVP by running sudo apt-get install havp. Ubuntu will launch
HAVP in the background, but with only a default configuration file. This file can be opened by running sudo nano /etc/havp/havp.config. To make
HAVP accessible through the net and allow it to accept more than just local connections, the BIND_ADRESS 127.0.0.1 entry must be commented
out with a hash sign (#) at the start of the line. Setting ENABLECLAMLIB to true tells HAVP that it can use the ClamAV scanner via the library
function – other third-party scanners supported by HAVP listen on either TCP ports or on Unix domain sockets.

Enter sudo /etc/init.d/havp restart to integrate the custom configuration into HAVP. To run a first
test in your web browser, enter the address of the server as the proxy and 8080 as the port.
Launching the test files at Eicar.org[4] should now provoke a HAVP alert in the browser window,
warning you that ClamAV has detected a virus. So far so good, but unfortunately the detection rates of
ClamAV is relatively low compared to other scanners. Thankfully, version 0.91 of HAVP also supports
the Linux version of the virus scanner by vendor AVG Technologies, which is freely available to home
users and provides more respectable detection results.

Double decker
A tarball and other versions of the AVG scanner are available to download from free.avg.com/gb-
en/download.prd-afl[5]. As of writing, the current version file is avg85flx-r812-a3371. Using the
command tar xfvz avg85flx-r812-a3371.i386.tar.gz unpacks the tarball into the avg85flx- ClamAV detects the Eicar.org test
r812-a3371.i386 subdirectory. To install the scanner, switch to this directory and start the setup routine
using sudo ./install.sh. Simply respond to the all questions in the installation dialogue that follows, and then start the AVG service using sudo
/etc/init.d/avgd start. AVG includes various additional services including avgscand, which listens on a TCP port, and avgupdate, which is a daily
update service. As before with the ClamAV installation, manually run sudo avgupdate once to download the current signatures.

Now the HAVP configuration file needs to be modified again. Open the /etc/havp/havp.config file and
set the ENABLEAVG option to true to tell HAVP that it should include the AVG scanner when
processing requests. Then set the AVGSERVER option to 127.0.0.1 and the AVGPORT option to
54322; this will tell the proxy where to send the data. Restart HAVP via sudo /etc/init.d/havp
restart to activate the new settings. After accessing the test files at Eicar.org, HAVP will present the
findings from both ClamAV and AVG.

Now AVG and ClamAV detect the Eicar test file

Cascade
In addition to ClamAV and AVG, HAVP also supports the Linux versions of products from such vendors as Avast, F-Prot, Sophos, Kaspersky and

1 of 2 12/3/2010 1:10 PM
Using the HAVP anti-virus proxy to protect from web attacks - The H Secu... http://www.h-online.com/security/features/Using-the-HAVP-anti-virus-pr...

Trend Micro. Although private users can obtain free scanners from Avast and F-Prot, these are desktop exclusives which don't work so well with
HAVP. The proxy expects that a scanner either supports the clamlib library, or it accepts data on a local network port or it listens on what is called a
Unix domain or IPC socket; however, Avast, F-Prot, Sophos, Kaspersky and Trend Micro only support this in their commercial products, for instance
in those for email gateways.

On-demand scanners by Avast and F-Prot could potentially be coupled with a domain socket through another program. The program would have to
accept the commands sent by HAVP through to a scanner socket and feed them to a specific on-demand scanner. Avast, for instance, has released
the set of commands supported by its scanners here[6]. The program would then return the scan results to HAVP through the scanner socket.

The higher the number of virus scanners searching for malware, the greater their pressure on system resources; however, this shouldn't present a
problem, as many server systems only run a web server or a file server such as Samba. The developer of HAVP, Christian Hilgers, also says that
scanning times don't increase when using multiple virus scanners because the scanning processes run in parallel and browser requests are shared
across several proxy processes.

Fine tuning and limitations

HAVP doesn't currently support https connections, which means that it doesn't inspect encrypted connections to look for malware transmissions.
Luckily, trojans and viruses have so far only been transmitted via secure SSL connections in special circumstances. Neither does HAVP serve as a
web cache; if this is required, you can link HAVP to a Squid caching proxy. HAVP does, however, offer various configuration options, and its
configuration file is made self-explanatory by a comprehensive set of comments.

Furthermore, HAVP can be used as a transparent proxy, meaning that it will also filter the http traffic of browsers which don't include a proxy in their
connection settings. In this case, however, HAVP must operate on a router system on the network edge where an iptables or similar rule diverts the
incoming web traffic from port 80 to port 8080. Samples of the required iptables rules are available[7] in various places. To enable this
configuration, the TRANSPARENT option in havp.config needs to be set to true.

HAVP supports URL blacklisting, which could, for example, be used for implementing a rudimentary parental control filter in a home network. HAVP
also has settings to determine maximum file sizes, maximum keep-back buffers and whether to scan images; these allow users to iron out browsing
glitches which may occur because of the way HAVP reads a set of data before handing it over to the browser. This can sometimes cause ugly
delays on sites such as YouTube. As an alternative, a site such as YouTube can be entered in HAVP's whitelist of sites which excludes responses by
that site from being scanned. While this may decrease potential latencies, it does also slightly increase the risks.

If you want HAVP to alert you that a virus or DNS error has been detected in a language other than English, the process is simple. For example, to
display alerts in German change the TEMPLATEPATH variable to /etc/havp/templates/de in the configuration file. The templates stored there can be
customised to display the desired content in the desired form.

While HAVP considerably improves defences against malware from the web, it isn't a miracle cure because it ultimately relies on the AV vendors'
signature updates, and these are becoming increasingly problematic. Therefore, the first commandment of the internet remains the same: keep all
your (web) applications current and keep your eyes open when surfing the net.

(dab[8])

URL of this article:

http://www.h-online.com/security/features/Using-the-HAVP-anti-virus-proxy-to-protect-from-web-attacks-1071574.html

Links in this Article:

[1] http://www.server-side.de/
[2] http://www.h-online.com/open/features/What-s-new-in-Ubuntu-10-04-LTS-982993.html
[3] http://www.clamav.net/lang/en/
[4] http://www.eicar.org/anti_virus_test_file.htm
[5] http://free.avg.com/gb-en/download.prd-afl
[6] http://public.avast.com/~cimbal/protocol.en.txt.new
[7] http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s5
[8] mailto:dab@heisec.de

Copyright © 2010 Heise Media UK Ltd. Privacy Policy Contact us

2 of 2 12/3/2010 1:10 PM