Type to search
Analyze a file Free Tools

Scan Network Traffic Using a Proxy Server with Metadefender ICAP Server

‹ Blog

Scan Network Traffic Using a Proxy Server with Metadefender ICAP Server

One way a network or workstation can become infected is by someone unknowingly downloading a malicious file from the internet. While they may think they are downloading an informative article or helpful new tool, there is a risk that it will actually be malicious code. One way to mitigate this risk is to use a proxy server that performs anti-malware multi-scanning of end user downloads using the ICAP protocol.

Below are steps to help an IT admin set up virus scanning of downloads using ICAP; there are an assortment of proxy servers and virus scanners one can use to accomplish this, but in this example we will use Squid as our proxy server using Metadefender ICAP Server with multiple antivirus engine scanning technologies as our virus scanner.

Installing Squid

Prerequisites

Before we begin, ensure you have gcc, openssl, and libtool libraries installed on your Linux-based system. You can use the package manager (e.g. yum, apt, etc.) that comes with your system to download these tools.  

Download and Install Squid

Configure Squid

Edit the Squid configuration file: /usr/local/squid/etc/squid.conf

Modify or add the following Squid directives:

acl localnet src 10.0.0.0/8
http_access allow localnet
http_access allow localhost
icap_enable on
icap_send_client_ip on
icap_service metascan_req reqmod_precache bypass=0 icap://metascan.example.com:1344/OMSScanReq-AV
adaptation_access metascan_req allow all
icap_service metascan_resp respmod_precache bypass=0 icap://metascan.example.com:1344/OMScanReq-AV
adaptation_access metascan_resp allow all
visibile_hostname squid.example.com

  • Change acl localnet src 10.0.0.0/8 so that it matches your network configuration. You can have multiple entries of this directive.
  • Change metascan.example.com:1344/OMSScanReq-AV to their respective reqmod and respmod of your Metadefender ICAP Server.
  • Change squid.example.com to the hostname of your proxy server.

Start the Service

Finally we can start the proxy by running the following command:

/usr/local/squid/sbin/squid

Using Metadefender ICAP Server
 

Now that the proxy server is up and running we need to tell our endpoints to direct traffic to the proxy server.

For Windows Computers

We need to make our browsers use a proxy for internet connections. You can do this by following the steps below. You can also do this via Active Directory Group Policy.

  1. Open Control Panel
  2. Open Internet Options
  3. Go to the Connections tab
  4. Click the LAN settings button
  5. Check the Use a proxy server for your LAN box
  6. Enter your proxy server's IP/hostname for the Address
  7. Enter the port for your proxy server. Squid uses 3128.
  8. Check the Bypass proxy for local addresses box
  9. Click Ok

Time to test and see if it works. Open up your web browser and go to: http://www.eicar.org/download/eicar.com.txt. If you see the following page it means your antivirus scanner has detected a threat on that page.

Congratulations! You are now using a Squid proxy to scan all web-based downloads with multiple malware scanning engines with Metadefender ICAP Server support.  

Performance
 

You might think you need two very powerful hosts to run these proxy and Metadefender ICAP Server services. Not true! Our two servers each have an Intel Xeon E5410 CPU (4 physical cores at 2.33 GHz). The proxy server has 8GB of RAM and the Metadefender Core 4 server has 16GB of RAM. That’s about the equivalent of a new desktop nowadays, bought from your neighborhood BestBuy or Costco. We have about 50 users using the Proxy every day and the CPU load averages only 5% and memory usage averages 50%. The Metadefender Core 4 server’s CPU load averages 20% and memory usage averages 13%. What we’re saying is you don’t need two expensive powerhouse servers to run this system. You can run Metadefender ICAP Server with a proxy with a low budget and little IT overhead.

The image below is a performance test we performed to show the file download speed of a computer with a proxy server, a proxy server in conjunction with Metadefender ICAP Server and without a proxy server.
 

If you liked this post and want to read more, sign up for our mailing list to have updates delivered to you!

Metadefender ICAP Server