OPNSense and ClamAV

[Superduke]

Hello all....new to OPNsense and migrated from the Merlin-based ASUS solutions.  So far loving the cool factor, although I'm far from a networking guru....

I got lots of ?s but I'll start with ClamAV.  I followed the guides and believe I have the Forward Proxy set correctly (as it was auto populated anyhow) but I can still DL the Eicar files....only thing stopping me is my client based solution (Sophos on Debian).

Not sure what's up....any help would be wonderful as I'm new to this....

I have other ?s as well regarding Unbound and Suricata but those can wait...lol   thanks in advance...

[mimugmail]

Because your browser forces https which is not scanned

[Superduke]

Thank you!  So in that case though, if all browsers are forcing to the https, is the only real value for incoming emails or such? 

[Vilhonator]

Thank you!  So in that case though, if all browsers are forcing to the https, is the only real value for incoming emails or such? 

No.

Few months (or years, can't remember), major browser providers or security companies decided that HTTP(s) connection should be primary connection for web browsing (which it has been quite a while now).

You still can make HTTP connections, you just have to manually type http:// at the start of the address (right click eicar link and choose copy link address and paste it on your browsers address field), or add :80 to the end off the TLD (top level domain, which are .com, .net .uk and so on)

Emails don't use HTTPs (message is sent in plain text on HTML or BBC format, which is why email clients don't automatically download images unless you have set them to trust the sender), so unless you and sender are using encryption keys, whole message and it's headers can be read by anyone who knows the user name and password.

Email encryption and how it actually works is something I know JACK SHIT, but I do know, that un-encrypted e-mail message is sent in plain text and sent through secure connection, but once it arrives to destination, there's no encryption and only thing preventing someone from reading your e-mail is either HTTPS traffic web mail server uses, or you not opening your e-mail and leaving it open un-attended (for example leaving your computer at school or work unlocked while going to toilet etc). Spyware of course is still able to record your mail and so forth, but when you use encryption (preferably a decryption key certificate), all that spyware sees is gibberish while you see the message in plain text.

[Superduke]

Thank you!  So in that case though, if all browsers are forcing to the https, is the only real value for incoming emails or such? 

No.

Few months (or years, can't remember), major browser providers or security companies decided that HTTP(s) connection should be primary connection for web browsing (which it has been quite a while now).

You still can make HTTP connections, you just have to manually type http:// at the start of the address (right click eicar link and choose copy link address and paste it on your browsers address field), or add :80 to the end off the TLD (top level domain, which are .com, .net .uk and so on)

Thanks very much!  This is great.  So if that's the case (https forcing, which is something even in my gross naivety knew...haha) then what real value is realtime ClamAV providing?  The odd ocassion that say some site may not be 's'.....since if damn near every site is 's' and someone (looking at wife and kids here) DLs something and that won't get scanned because it's an 's' site based file....what's the point?

I'm clearly missing something but enjoy the education!   

[fabian]

You can open the connection with an own intermediate certificate. Then the full traffic is readable again and can be filtered.

For the emails: There are S/MIME and GPG for E2E encryption. So the email is never readable by anyone else.


And for the increase of the encrypted traffic the cause is a massive violation of human rights  as well as a protection against man in the middle attacks.

[Vilhonator]

You can open the connection with an own intermediate certificate. Then the full traffic is readable again and can be filtered.

For the emails: There are S/MIME and GPG for E2E encryption. So the email is never readable by anyone else.


And for the increase of the encrypted traffic the cause is a massive violation of human rights  as well as a protection against man in the middle attacks.

Oh yea, forgot to mention that. Yes it is true that E-mail can't be read by anyone else but those who read it by login in webserver or having client which downloads the message from mail server. Whole traffic is encrypted, so that makes it impossible to read message thru wireshark type of prongrams (Packet caputrers), but the message itself is plain text (once you open it, it is shown in plain text on the screen), but once you download and store the mail to your device (which PoP3 does) it is stored on a mail format and any e-mail client can read it (tested out quite a few times with my gmail when I tried to get encryption working).

Kinda poor and simple way to hide e-mail message without using encryption, is to use hash like MD5, it is VERY poor since it can be decoded easilly with online tools (just copy 63a14d43e14187cbaf9119d926685641 go to https://md5hashing.net/hash/md5, paste it to decode box and you see what I means). Good way to prank students and type "wifi password is 63a14d43e14187cbaf9119d926685641" on blacboard xD, our clients bursted in laughing when they saw that (though they are math nuts, and didn't take too long to crack it out, since you can decipher it if you know the math equation formula)

[fabian]

You are wrong - in case of S/MIME or GPG the mail itself is encrypted so webmail will usually not even work. With both, the mail itself contains a blob of encrypted data, which is decrypted by an email client (thunderbird for example).
Your email will look like that: https://de.wikipedia.org/wiki/S/MIME#application/pkcs7-mime

Webmail usually does not have the keys required to decrypt the mails and also it is often not implemented.



Good web app for hash reverse lookups btw.: https://crackstation.net/

[Vilhonator]

You are wrong - in case of S/MIME or GPG the mail itself is encrypted so webmail will usually not even work. With both, the mail itself contains a blob of encrypted data, which is decrypted by an email client (thunderbird for example).
Your email will look like that: https://de.wikipedia.org/wiki/S/MIME#application/pkcs7-mime

Webmail usually does not have the keys required to decrypt the mails and also it is often not implemented.



Good web app for hash reverse lookups btw.: https://crackstation.net/

Maybe you misunderstood me.

Unless YOU MANUALLY setup encryption or use mail provider which encrypts data for you, anyone can read your mail as long as they know login credentials or get a chance to read it via YOUR DEVICE which REMEMBER login credentials and AUTOMATICALLY downloads them from the server.

If you setup keypair, compose message and choose "encrypt" option, then they can't read it.

Gmail, outlook and yahoo all are mail providers, which won't automatically encrypt your messages and require manual encryption

[Vilhonator]

Webmail usually does not have the keys required to decrypt the mails and also it is often not implemented.

Protonmail is one which does have encryption support on webmail itself, you just have to create them via settings and import certificate from other senders.

Anyway, point is. Regulary e-mail messages aren't encrypted, even with e-mail clients you have to create key certificates, store them on safe place and setup encryption to automtic if you want to use POP3 and make sure messages are encrypted.

Reason why it is set to manual, is because if you loose the key or forget the password for private key, even you won't be able to read it without using client, which has that private key stored

[Superduke]

Thanks all.....I think the topic deviated a bit to the email stream (I myself use Protonmail, through Thunderbird, the bridge works quite well!).

That said, I'm still a bit confused on the AV use on http(s) based stuff...since if Clam doesn't scan http(s) sites or files based on them, and most modern browsers force https then what value does Clam really provide....any thoughts?

[mimugmail]

Thanks all.....I think the topic deviated a bit to the email stream (I myself use Protonmail, through Thunderbird, the bridge works quite well!).

That said, I'm still a bit confused on the AV use on http(s) based stuff...since if Clam doesn't scan http(s) sites or files based on them, and most modern browsers force https then what value does Clam really provide....any thoughts?

Just to sum up a bit:

- breaking https in order to scan with clamav will make trouble with mobile apps and certificate pinning, but in general it works. just read the howto in opnsense docs
- also other vendors have the same problem, commercial ones implement a new tech called encrypted traffic analyses, but there is no open source solution
- in 2018 when clamav plugin arrived there were fewer problems with it, but that doesn't mean there's a reason to remove it now since it runs perfectly with rspamd
- it's a modular plugin, maybe there could be a use-case to bind it with nginx for scanning reverse proxy
- if you are concerned about client traffic, install local virus scanners, that's the usual thing in business everywhere