Messages

I followed all the steps, from the uninstallation of clamav, to the deletion of the databases and the reinstallation of the package, but the creation of the main.cvd continues to fail and it never manages to download it all.
I tried to copy the clam av db that I have on the opnsense virtual machine and it seemed to be going, but today I have the service out of use again I don't know what to do.

HI all,

I have the same problem on a fresh installation of Opnsense 20

how can i resolve ?

i follow this steps but some procedures are missing.

what are the steps after download (with wget) main cvd ?

The thing I can tell you is do things step by step.
initially stay on the simple and then slowly you will configure everything.
it will take some time because they are complex products.

"Suricata and ClamAV has nothig to do with Sandbox. Sandboxing means the file is executed on a sandboxed system and the system calls are checked against anomalies"

I agree, not least the integration between IPS, Antivirus and Sand Box is the best strategy to filter malicious traffic.
if a package is judged malicious based on well-known signatures from the Antivirus and the IPS, there is no need to forward it to SANDBOX to test its behavior.
While a package deemed safe by IPS and Antivirus could still be a 0 day malware.

In this case the sand box allows to detect it, create a new signature for ips and AV and add to the current  IPS and Firewall rules.

In this way you have a system that works proactively.

moreover, it is possible to limit the activity of the infected machine, for example, by switching the network card off (via a client installed on the machine) or even switching off the switch port to which the machine is connected, but generally this is done by the NAC.

Yes, I mean this.

Yes of course I am referring to an external sandbox, currently however it must be studied, because opnsense has several malware detection methodologies first of all suricata and suqid + clam AV
The files to be sent to the sandbox are obviously those that have passed the first checks of suricata and AV clam.

In addition, a client is required to be installed on the machines to be defended,  through which  if opensense realizes that it has sent a potentially infected file,  it is possible to disable the network card.

The SandBox fortigate works like this:
1) the files are examined by the ips

2) the files are analyzed by the antivirus.

3)if pass this two check the file is sent to the destination host, but a copy is sent to the sandbox that analyzes it.

4) as soon as the sandbox has finished analyzing the file, it gives the response to the firewall.

At this point, if the file is Ok, everything ends up like this, but if the sandbox believes it to be a dangerous file, it tells the firewall that disables the network connection of the host that downloaded it.
In addition, the firewall updates the antivirus and IPS signatures.

I was checking the new features of Fortinet firewalls, and I found a couple of things interesting the first is the integration with a sandbox, which allows you to analyze the behavior of suspicious files even with 0 day viruses.
and the second is the Intent based segmentation and ZERO Trust concept.

Check this   videos for more detail

https://www.youtube.com/watch?v=k6s6g3mTWW8

https://www.youtube.com/watch?v=J6217_AL4ps

https://www.youtube.com/watch?v=0dAx-44gC2I

Hi all, in these days i have tested  Sensei very well,
And after a period of intese testing,  I can Say Wow GOOD WORK, and tanks to the team, for the freeware relase.

I work with every type of network device from Nexus 7000 switch to ASR900 router, and from asa firewall, to firepower, checkpoint, and palo alto, and i think that sensei can reach the same level of this NGFW.

i see that sensei have some difficulties to match traffic  when on the firewall is used   Squid as t proxy. infact sensei dont inspect the traffic directed to the squid  proxy port, or if it do there is some problem because in this condition the web filtering dont work, can implement this feature  ?
I can help you in some manner ?

Same error for GeoTrust RSA CA 2018

the only way i found to solve the problem was to export the CA from firefox, import it in Trust->Authorities and then restart squid.
it should really interesting to have the script mentioned by Sahbi :)

Can you explain me how did you do, i have the same problem but i cant understand what step i have to follow  to import an exsisting certificate on Opnsense

[Squid trasparent proxy + clam AV UnBound DNS + Dnscrypt ProxySuricata on Wan interface (Et Pro telemetry)]

Hi All,
I Use OpnSense from agust 2019.
I have the firewall installed on virtualized enviroment for testing proupose.
The firewall is configured in this manner :
Squid trasparent proxy + clam AV
UnBound DNS + Dnscrypt Proxy
Suricata on Wan interface (Et Pro telemetry)
I also Have Configured Captive portal (on another interface) (that emulate a WIFI free access )
and Configured Ipsec and OpenVpn server.   

I have installed  Sensei but i see that with this configuration  sensei don't block any site even listed in App or Web or in use defined category.
I suppose that this behavior is determined by the Squid proxy or by the Dns configuration, there is a manner to configure Sensei to work with this configuration ?
For the moment i Dont want to disable Squid or DnsCrypt Proxy.
If this type of configuration isn't supported,  there is a Hope that  sensei  can support this in future ?

Best Regards

A.V.