Icap server not scanning eicar files correctly
-
Hi all,
I have an issue with icap scanning an eicar file and not flagging it as a virus. The infrastructure is this. I have a WAF that sends a request to icap to scan a file when I upload it. In the WAF i have configured to send requests to icap://<SERVER_IP>:1344/squid_clamav . Icap is installed on Pfsense community 2.6, I've installed the squid package from the Package Manager UI and I pretty much use the default configuration.
In the squid web UI, I have enabled Squid Antivirus check using clamav, and in the squid.conf I can see that icap is enabled:
In the c-icap.conf I've setup debuglevel : 3 and in the logs I only get things like the following :
I have tried many different configs and solutions that I found in the forums here, however, nothing I do will produce the eicar test file being flagged as a virus and I can upload that file without it being blocked.
The server running Pfsense is running on FreeBSD 12. Here are also all configs related to icap and clamav:
squidclamav.txt
freshclam.txt
clamd.txt
c-icap.txt
c-icap_magic.txtAm I missing something? Based on the previous discussions, icap should be able to detect eicar test file out of the box, is this something on the WAF end, or a missconfig on the icap side? Any info/help is appreciated.
Thanks in advance
-
@fran-rukavina Is the EICAR test using TLS/SSL or are you using the plain text tests.
-
@michmoor I'm uploading a plain text file, I've just created one with the eicar string. The thing is that once its uploaded and on my exchange server, if I try to download the file, I will get the error message from pfsense that it's a virus, but by that point it's scanned by another service. I'm just using pfsense to check the upload.