Using the HAVP anti-virus proxy to protect from web attacks

by Daniel Bachfeld

The free HAVP proxy, combined with free virus scanners for Linux, reduces the risk of falling prey to attacks when browsing the internet on a Windows PC. If you already have a Linux server, protection is only a few steps away.

When people say "two heads are better than one", they mean that one shouldn't handle critical tasks alone. This is also true for virus scanners; the greater the variety of scanners that examine a file or other internet content, the greater the chance of detecting a potential infection. However, it isn't a good idea to install and simultaneously run products by different vendors on a Windows system, because the products tend to interfere with each other and can even make a system unusable. A more appropriate solution is to externalise additional virus scans, for instance by using a separate virus scanner for the file server. A web proxy with integrated virus scanner can offer further protection, particularly for the PCs in a home network or small corporate network.

HTTP Anti-Virus Proxy (HAVP) is such a proxy, and it supports the integration of multiple parallel scanners including those that are completely free or available to home users free of charge. It only takes a few steps to have HAVP and additional scanners installed and ready for action on a current system such as Ubuntu 10.04.

The proxy goes between the web browser and the web server and initially deposits the transmitted data in a file on the hard disk. Then, HAVP submits the file path to the configured virus scanners and evaluates their analyses. If a virus is found, a preset virus warning is displayed instead of the requested web page or downloaded file.

Current versions of HAVP and the free ClamAV virus scanner are already available in the Ubuntu repositories, and the packages can also be found in the repositories of other Linux distributions such as Debian and Mandriva. openSUSE and Fedora don't offer a complete HAVP package, so the users of these distributions need to compile the source code themselves and then install the files manually.

In Ubuntu, ClamAV can simply be installed by opening a terminal and entering sudo apt-get install clamav and then manually running sudo freshclam once to update the signatures. Doing this means that the current signatures become available immediately; the service will download signature updates automatically once a day from then on. For the next step, install HAVP by running sudo apt-get install havp. Ubuntu will launch HAVP in the background, but with only a default configuration file. This file can be opened by running sudo nano /etc/havp/havp.config. To make HAVP accessible through the net and allow it to accept more than just local connections, the BIND_ADRESS 127.0.0.1 entry must be commented out with a hash sign (#) at the start of the line. Setting ENABLECLAMLIB to true tells HAVP that it can use the ClamAV scanner via the library function – other third-party scanners supported by HAVP listen on either TCP ports or on Unix domain sockets.

ClamAV detects the Eicar.org test Enter sudo /etc/init.d/havp restart to integrate the custom configuration into HAVP. To run a first test in your web browser, enter the address of the server as the proxy and 8080 as the port. Launching the test files at Eicar.org should now provoke a HAVP alert in the browser window, warning you that ClamAV has detected a virus. So far so good, but unfortunately the detection rates of ClamAV is relatively low compared to other scanners. Thankfully, version 0.91 of HAVP also supports the Linux version of the virus scanner by vendor AVG Technologies, which is freely available to home users and provides more respectable detection results.

Double decker

A tarball and other versions of the AVG scanner are available to download from free.avg.com/gb-en/download.prd-afl. As of writing, the current version file is avg85flx-r812-a3371. Using the command tar xfvz avg85flx-r812-a3371.i386.tar.gz unpacks the tarball into the avg85flx-r812-a3371.i386 subdirectory. To install the scanner, switch to this directory and start the setup routine using sudo ./install.sh. Simply respond to the all questions in the installation dialogue that follows, and then start the AVG service using sudo /etc/init.d/avgd start. AVG includes various additional services including avgscand, which listens on a TCP port, and avgupdate, which is a daily update service. As before with the ClamAV installation, manually run sudo avgupdate once to download the current signatures.

Now AVG and ClamAV detect the Eicar test file Now the HAVP configuration file needs to be modified again. Open the /etc/havp/havp.config file and set the ENABLEAVG option to true to tell HAVP that it should include the AVG scanner when processing requests. Then set the AVGSERVER option to 127.0.0.1 and the AVGPORT option to 54322; this will tell the proxy where to send the data. Restart HAVP via sudo /etc/init.d/havp restart to activate the new settings. After accessing the test files at Eicar.org, HAVP will present the findings from both ClamAV and AVG.