OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: guenti_r on October 02, 2021, 09:46:59 am
-
Hi,
i am evaluating Sensei.
For me, an very important feature is blocking known Malware.
Everything works well, but downloading an Testvirus EICAR was not blocked by Sensei.
Is this normal?
Edit:
It seems Sensei does not block ANY Malware!
I am using the Home Edition, but it never blocks random Malware (it does not matter if HTTPS or HTTP).
Cheers
-
Its not meant to block malware. Thats what local av is for on desktops along with suricata signature analysis. Sensei is a web filter. If you go to a known malware domain it will block if that option is selected, it absolutely is not meant to replace a virus scanner, or common sense. ClamAV in the opnsense plugins section can do this as well, though its clamav so your mileage may vary. Hope this helps :)
Edit: ClamAV is probably not an option for a home user anyways, most (all) traffic should be SSL/HTTPS meaning no visibility really unless you have a certificate you generate on all devices being filtered. Sensei or any web filter/dns based system can see hostname/ip you go to but NOT the content, thats what is expected with SSL and is the point of it, so any SSL visibility appliance (untangle has sslv, clamav sniffs traffic, etc.) needs a server/client cert in order to decrypt traffic. Thats not feasible at home with IOT devices, phones etc. Best you can do is block known malicious domains and teach people common sense web browsing + no torrents/warez and you wont get malware. Sensei has a wide range of options to block all of those things.
-
Not true.
From Sunnyvalley-Website:
Stop Threats in Real Time
Unlike basic internet traffic filtering firewalls, ZENARMOR from Sunny Valley Networks provides a powerful, enterprise-class content filtering engine that detects and blocks advanced malware as well as highly sophisticated threats.
Furthermore, in Policies, the Settings says
Block Recent Malware/Phishing/Virus Outbreaks
So, what?
Is Sensei simply a collection of Blocklists (IP/DNS) with a nice GUI?
-
Well, there is no SSL filtering, not implemented yet and it comes with implications. E.g. apps like Skype that only trust their built-in CAs and won't work if you try to fool them with your own CA.
So, anything that is SSL, will probably be either matched by a pattern or filtered by URL/DNS. There is no sandboxing either, but that also comes with implications, because the first sample usually goes through unless it's already known.
Other than that, blocking malicious content is working well, see my screenshot below. Blocking certain services and categories, too.
For anything that does not work, send feedback in a ticket to the friendly guys at Sunnyvalley, they'll usually take care of problems very quick. Only the best experiences with their support so far, very helpful, kudos go out to Salih and Murat!
-
Already opened a Ticket.
Wondering why no Eicar was detected (incl. HTTP (without -S!)
Evaluating Sensei for my home and maybe (if the Malware-Detection works as adviced(!)) for our customers.
-
What you don't understand is that it blocks malware through IP blocklist, websites blacklist and suspicious internet activity. It does not decrypt your SSL/TLS communications, maybe that is scheduled for future versions.
So, it is not meant to replace your antivirus and antimalware, but only act as an internet filter against known sources of malware (like websites and IPs).
What home users use it for: blocking ads, phishing websites and porn.
What schools and businesses use it for: blocking unwanted websites (NSFW, scams and time wasters).
If you want a comparison: it is like Quad9 on steroids. Another comparison: ASUS AiProtection on steroids.
So, yeah, it does not detect Eicar because it isn't a virus scanner. It only blocks network and internet traffic which is characteristic to malware.
-
Already opened a Ticket.
Wondering why no Eicar was detected (incl. HTTP (without -S!)
Evaluating Sensei for my home and maybe (if the Malware-Detection works as adviced(!)) for our customers.
I explained above, but if thats what you need sensei is not for you. Thats not how av/malware detection works...I would hire a new infosec team if thats their idea of protection! Sensei is a *ip* based filtering service and works very well for that. If you need something for a business, you should go to an enterprise platform, especially if you need an sslv. There are whole sslv appliances dedicated to decrypting and scanning traffic, and as stated above, you need a common cert on all machines scanned. Thats basic networking. Also you should never use http in a home OR enterprise setting! if the site you are going to doesnt auto redirect to https, block it. Look into untangleNG, it contains a sslv app that would work for home-small business.