Posted by Stephen Kwong / November 21, 2013
One way a network or workstation can become infected is by someone unknowingly downloading a malicious file from the internet. While they may think they are downloading an informative article or helpful new tool, there is a risk that it will actually be malicious code. One way to mitigate this risk is to use a proxy server that performs anti-malware multi-scanning of end user downloads using the ICAP protocol.
Below are steps to help an IT admin set up virus scanning of downloads using ICAP; there are an assortment of proxy servers and virus scanners one can use to accomplish this, but in this example we will use Squid as our proxy server using Metadefender ICAP Server with multiple antivirus engine scanning technologies as our virus scanner.
Before we begin, ensure you have gcc, openssl, and libtool libraries installed on your Linux-based system. You can use the package manager (e.g. yum, apt, etc.) that comes with your system to download these tools.
Download and Install Squid
- Download Squid using wget:
- Extract Squid:
- tar zxvf squid*
- Compile and install Squid with ICAP support
- ./configure --prefix /usr/local/squid --enable-icap-client --enable-ssl --enable-ssl-crtd make && make install
Edit the Squid configuration file: /usr/local/squid/etc/squid.conf
Modify or add the following Squid directives:
acl localnet src 10.0.0.0/8
- Change acl localnet src 10.0.0.0/8 so that it matches your network configuration. You can have multiple entries of this directive.
- Change metascan.example.com:1344/OMSScanReq-AV to their respective reqmod and respmod of your Metadefender ICAP Server.
- Change squid.example.com to the hostname of your proxy server.
Start the Service
Finally we can start the proxy by running the following command:
Using Metadefender ICAP Server
Now that the proxy server is up and running we need to tell our endpoints to direct traffic to the proxy server.
For Windows Computers
We need to make our browsers use a proxy for internet connections. You can do this by following the steps below. You can also do this via Active Directory Group Policy.
- Open Control Panel
- Open Internet Options
- Go to the Connections tab
- Click the LAN settings button
- Check the Use a proxy server for your LAN box
- Enter your proxy server's IP/hostname for the Address
- Enter the port for your proxy server. Squid uses 3128.
- Check the Bypass proxy for local addresses box
- Click Ok
Time to test and see if it works. Open up your web browser and go to: http://www.eicar.org/download/eicar.com.txt. If you see the following page it means your antivirus scanner has detected a threat on that page.
Congratulations! You are now using a Squid proxy to scan all web-based downloads with multiple malware scanning engines with Metadefender ICAP Server support.
You might think you need two very powerful hosts to run these proxy and Metadefender ICAP Server services. Not true! Our two servers each have an Intel Xeon E5410 CPU (4 physical cores at 2.33 GHz). The proxy server has 8GB of RAM and the Metadefender Core 4 server has 16GB of RAM. That’s about the equivalent of a new desktop nowadays, bought from your neighborhood BestBuy or Costco. We have about 50 users using the Proxy every day and the CPU load averages only 5% and memory usage averages 50%. The Metadefender Core 4 server’s CPU load averages 20% and memory usage averages 13%. What we’re saying is you don’t need two expensive powerhouse servers to run this system. You can run Metadefender ICAP Server with a proxy with a low budget and little IT overhead.
The image below is a performance test we performed to show the file download speed of a computer with a proxy server, a proxy server in conjunction with Metadefender ICAP Server and without a proxy server.