[NOOB] ClamAV doesn't ask for downloading signatures [SOLVED] => Full Re-Install

[MarieSophieSG]

Hi,
I've installed ClamAV, nothing to it, it's pretty straightforward and the GUI makes it very easy.

But it doesn.t show me the button "download signatures"

I've removed and re-installed, I've removed, reboot, reinstalled, etc ... to no avail, the button just never appear

How do I force this button to pop-up ?

I've added "https://database.clamav.net/main.cvd" in the "service / ClamAV / Configuration / Signatures"
Is that enough ? how do I know it has been downloaded and is operational ?

[MarieSophieSG]

And FreshClam daemon doesn't want to start (in "Services" I've clicked several times on restart")

[MarieSophieSG]

Am I supposed to install C-Icap as well, to use Clam, or is Clam (and Rspamd) runs standalone ?

I'm not using any local email anymore, all online, so no SMTP, no POP3, no IMAP

[Patrick M. Hausen]

The what are you trying to accomplish with ClamAV?

[MarieSophieSG]

The what are you trying to accomplish with ClamAV?

You are everywhere !

ClamAv is an antivirus, I'm just trying to set an antivirus gate in my traffic ... but since you ask, and I guess based on the information I provided about local email,  I'm wondering if I'm mistaken once again ?
Is ClamAV only for local file and not for in-traffic AV filtering ?
Then the same would apply for Rspamd, not an in-traffic filter
So then I don't need either ? (all my emails are e-to-e encrypted from the serveur, which has it's own AV/Spam filter)

Now that I'm writing this, I'm realizing how dumb it sound ... there is no virus in the traffic, only in files/applications/program codes, from emails.

No, wait no, it could, if I'm browsing and download (not in an email) an app that contains malware or such, then the AV should block it, right ?

[Patrick M. Hausen]

You can use it to filter email for viruses just like you can filter for spam with rspamd, but both require that you intercept and inspect the mails at the application level by using e.g. postfix as a mail relay.

Frequently this is implemented for corporate uplinks with fixed IP addresses. Inbound mail delivered to postfix on OPNsense, scanned and filtered, then forwarded to e.g. internal MS Exchange.

With web traffic it's similar. You need a web proxy intercepting and scanning all that traffic. There is no functional malware scanning of "the network".

[MarieSophieSG]

You can use it to filter email for viruses just like you can filter for spam with rspamd, but both require that you intercept and inspect the mails at the application level by using e.g. postfix as a mail relay.

Frequently this is implemented for corporate uplinks with fixed IP addresses. Inbound mail delivered to postfix on OPNsense, scanned and filtered, then forwarded to e.g. internal MS Exchange.

With web traffic it's similar. You need a web proxy intercepting and scanning all that traffic. There is no functional malware scanning of "the network".

Right, .. so that's where I need C-icap then ?

[Patrick M. Hausen]

You still need a proxy like squid (available as a plugin) to work together with icap. And then you need to configure all your end devices to use the proxy for "surfing".

Or you try and set up a transparent proxy which means breaking TLS encrypted connections in the middle, so you need to create your own CA (certification authority), have all devices trust that certificate, and squid will create certs for e.g. forum.opnsense.org on the fly to spoof your browsers.

This leads to a whole new bunch of problems with applications that use certificate pinning like online banking should etc. etc.
 
Every experienced admin I know including myself recommends strongly against it. The whole point of TLS is end to end confidentiality and integrity. Don't mess with it.

The consequence of course is that it is entirely impossible to scan traffic for malicious content.

You can still use AdGuard Home and blocklists (which I would recommend) or CrowdSec (which I also recommend) to block malicious hosts. Just not malicious content.

[MarieSophieSG]

You still need a proxy like squid (available as a plugin) to work together with icap. And then you need to configure all your end devices to use the proxy for "surfing".

Or you try and set up a transparent proxy which means breaking TLS encrypted connections in the middle, so you need to create your own CA (certification authority), have all devices trust that certificate, and squid will create certs for e.g. forum.opnsense.org on the fly to spoof your browsers.

This leads to a whole new bunch of problems with applications that use certificate pinning like online banking should etc. etc.
 
Every experienced admin I know including myself recommends strongly against it. The whole point of TLS is end to end confidentiality and integrity. Don't mess with it.

The consequence of course is that it is entirely impossible to scan traffic for malicious content.

You can still use AdGuard Home and blocklists (which I would recommend) or CrowdSec (which I also recommend) to block malicious hosts. Just not malicious content.

Well, I guess you knight saved another damzell today, I certainly don't want to break nor messup anything, I'm just going to remove clamAv and Rspamd alltogether and that will be it !

Just focus on the IDS and IPS (blocklist, all of them) and look into this AdGuard
And keep trying to set WireGuard up fro all my devices that can't host their own VPN

The descrition of this plugins is misleading though,
os-ClamAv (installed) Malicious traffic detection system (should be Malicious eMail or proxy traffic detection)
os-rspamd (installed) Protect your network from spam (should be Protect your emails network or proxy from spam)

Thank you very much, once again