Hello.

Looks like my lan users are having a lot of problems getting infected with trojans and other viruses on spreaded inside the lan.

I would like to know if there's an Antivirus for linux routers/gateways that would scan all packets that pass through from internet to lan?

Thanks in advanced for your help.

You could deploy HAVP as an HTTP traffic scanner. It uses ClamAV. If the problem is really bad, virus scanning won't be enough, though (due to its inherent limitations). What other measures are you willing to take?

I'm currently blocking all ports except for 80, 25, and 53. I also have squid running but, this only to save bandwidth. I don't know what else to try though. All I know I need to take action now before it gets any worse. Do you have any suggestions?

Have you used HAVP? If so, does the bandwidth suffers when you have certain number of users connected?

I would seriously consider taking the LAN offline, inspecting the Squid logs and cross referencing with firewall logs to find possible sources of the trojaned download(s). Then you could proceed to block those sites with an ACL (to reduce the chances of a repeat), implement some sort of larger block ACL of known bad sites, and install HAVP. Meanwhile, the compromised Windows hosts (I'm assuming they are Windows, please correct me if I'm wrong) on the LAN would need to be cleaned and hardened (there's only so much you can do on the gateway).

No, I haven't used HAVP. That said, this type of software doesn't change the upstream bandwidth usage. Downstream delays are introduced while the data is scanned, though, so a faster CPU gets you less delays.

That's a great idea in case the trojan is in the cache.

Unfortunately, yes these are Windows machines.

I'm going to read more about HAVP and test first on a separate machine first and see how it works. Thanks a lot.

A sniffer will come in handy in finding the internally infected hosts (along with proxy and FW logs). In fact, several sniffers may work even better. The reason I'm saying sniffer is that, while an IDS will help, you won't have time to deploy a proper IDS...this isn't the time to be trying to deploy such a system. A sniffer is almost the same thing but is more or less adhoc. It won't be a dedicated system and can be moved more easily. Basically, it can be run on any system and can be as simple as using tcpdump.

I'd place a sniffer just outside of your gateway (to detect call-home traffic or botnet-related traffic, usually outbound) and one that is just outside of any internal subnets. If you're using three (3) internal subnets, I'd place three (3) sniffers right outside of those subnets (for a total of 4 sniffers).

The way we do it at work is that we look for any outbound traffic is using high ports. We catch a lot of IRC-related infections this way. We also look for anomalous spikes (higher than normal traffic on port 445, for example), but this requires that you already know your networks' nuances. Also, I've seen IRC traffic trying to hide or avoid specific FW rules by going outbound on port 80 (since a lot of companies still tend to not to filter outbound port 80 traffic). A lot of botnets are now reporting to web servers now (instead of IRC servers). This makes it easy to hide the infected machines reporting to C&C servers, but one red flag will be outbound POST commands to PHP-based sites within the packet trace.

If you don't know your internal network layout, ask for assistance from someone who's been around awhile. Ask for network diagrams and use them even if they're old (they'll be better than using nothing).

We've been seeing LOTS of Conficker infections across our customer base lately. I'd focus on any brute force attempts against 445 (and by association, ports 135, 138, and 139). This particular port/service for Windows-based OSs is notorious for being easily compromised.