Clamav Antivirus integrated in GL-MT6000

oly · February 2, 2024, 7:22am

Hello all,

Have you thought of integrating an antivirus in the GL-MT6000 software, did you know that this solution exists and is supported by OpenWrt?

admon · February 2, 2024, 7:41am

To use it, you need to get a proxy up and running (like squid). End to really use it, you need some TLS interception as well. This is not the job of a router.

xize11 · February 2, 2024, 9:21am

I rather think dns sinkholing or banip would fit better, ive been using clamav before in my very early days of OpenWrt but actually this is not really what you want if you want good security

Indeed clamav uses a transparant proxy probably squid, but then you also have to troubleshoot how it will scan https connections, to be honest what it actually comes down to is that you end up with degrading encryption and no way to validate if a certificate is legitimate because like root certificates the squid instance uses https with its own certificate with probably also lower encryption standards.

There might be ways to get a cert cleaner via nginx openssl cache module or mitmproxy but you gonna have a hard time figuring it out, i did not bother

And then you have more advanced ones like suricata, snort but these are big ones and requires maybe more powerfull hardware, idd a router is a router, what you may want is looking for some type of UTM system (Unified Threat Management) as hardware .

Jibe · February 21, 2025, 8:06pm

Running heavyweight processes doing realtime IPS/IDS will kill the router throughput.

So, while ClamAV packages are already available to install in OpenWRT OOTB (ie: simply toggle over to the LuCi interface and install/use ClamAV from there), scanning traffic in realtime on a router is going to severely bog down the cpu and throughput. Caveat, there is additional configuration required in order for clamav to intercept traffic through the router.

Snort is sort of being worked on in the OpenWRT group, but it is historically a memory and cpu pig, mostly because it's single threaded. For Suricata, there is no current port being done for use on OpenWRT. Regardless, these are fairly heavyweight and should be run on an upstream firewall/gateway box, not on a router.

Hey, perhaps a great opportunity for GL to move AV and/or other IPS/IDS services to a h/w chip as has been done on the Flints for some other offloadings!