Squid ClamAV antivirus not working properly
-
You might try disabling squid-guard and reboot firewall and check to see if the clam block page show's correctly.
If it doesn't it could be the same issue that showed up a year or so ago in the squid package. -
Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?
Or what issue are you referring to a year ago in the Squid package?
-
Download the test file while checking the clamd table log to see if it is caught instream.
-
It is being caught instream:
-
That indicate's clamav is detecting the test file but isn't logging it properly.
I checked my setup and receive the same, Found instream with no default block page and it is not logged in either the C-ICAP Virus Table or the dashboard widget.
Perhap's someone else will check on this that has more knowledge.
-
@impatient hello I am having the same issue currently. I have the proxy running and https and http in transparent mode with splice all. It works certificates are installed on all devices. Clamav for me only works with HTTP downloads even when https SSL intercept is running. The test file only gets blocked on http.
Did you guys ever find a resolve for this?
https://forum.netgate.com/topic/168812/squid-c-icap-virus-table-malware-virus-test-file-in-http-caught?_=1641529034653
-
I think the point comes from the transparent proxy and MITM mode. If it's set on "Splice All" the antivirus will not block viruses but only log them.
-
I have it set to custom and it will now catch both http and https test viruses. I tested and researched some different settings. The certificate had to be created with Squid and used that way however.
(IMAGE: Custom used)
(Image Advanced options)
Take notice on the Amazon fire and Xbox I have the firewall set to use splice all for those static LAN IP addresses. The other devices that can use the certificates use peak step1 all slice only for my nosslintercept list of IP addresses and a file I created with URLS I do not want ssl intercepted.
(Image: Custom made URL splice file) -
Now ClamAV catches both HTTPS and HTTP test virus
(IMAGE: HTTPS Virus test successful) Squid Blocks them notice it states HTTPS now in the error
Reference how to install the Squid certificate I had to generate it in the command line and load it into the Pfsense
This works for version 22.05 better when you load the certificate.
Check it out Ref: https://forum.it-monkey.net/index.php?topic=23.0
This site had the best walk through with setting this up outside of the advanced options.
-
My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
-
My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894
-
J JonathanLee referenced this topic on