ClamAV possible?

MrGlasspoole

Hi,

after 4 days it looks to me that virus scanning is not possible in pfSense?
Is that a never ending story?

I looked at Dansguardian, squid3-dev, HAVP and everything i could find here or with google - nothing works and allot of stuff/problems are from 2012 and still don't work?

So after 4 days and nights i give up for now and try Sophos until i get an answer here.
If it's possible then please somebody tell me how.

exograpix

Looking for antivirus solution for very long time but no solution in sight. switched to endian till solution is available.

rjcrowder

@MrGlasspoole:

Hi,

after 4 days it looks to me that virus scanning is not possible in pfSense?
Is that a never ending story?

I looked at Dansguardian, squid3-dev, HAVP and everything i could find here or with google - nothing works and allot of stuff/problems are from 2012 and still don't work?

So after 4 days and nights i give up for now and try Sophos until i get an answer here.
If it's possible then please somebody tell me how.

Not sure I understand… Although I'm not currently using either, the last time I tried dansguardian/clam and havp both worked just fine. Care to share your problem and see if anyone can help?

stephenw10

Indeed, I'm not aware of any ongoing issues with either of those packages (although I'm not running them either).
Are you trying to do something different with them? Other than scanning proxied http traffic?

Steve

kejianshi

dansguardian + squid worked fine for me.

stephenw10

With ClamAV? I just spent a while reading posts and they are almost exclusively failure reports.

Steve

kejianshi

Yes - I don't run it on the current release of pfsense and I never had much luck the newest squid 3.

But yes.  With the older squid, plus calmav, plus dansguardian it was quite stable.  Worked great.

I imagine it still would be.

I do remember I had to go into command line to update and run clamav but only for the first signature update.

kejianshi

I also tested it periodically with the eicar test files and test site…

http://www.eicar.org/download/eicar.com.txt

rjcrowder

@stephenw10:

With ClamAV? I just spent a while reading posts and they are almost exclusively failure reports.

Steve

Like I said… not currently using it, but dg with clamav always worked fine. The only reason I stopped using it was that it could take a long time (and sometimes time out) on very large file transfers.

kejianshi

My suggestion is:

1.  Install squid 2, the stable one.  2.7.9 pkg v.4.3.4 (not squid 3)

2.  reboot pfsense, then configure squid, the reboot again.

3. install dansguardian (I think clamav is part of that package)

You have to go into dansguardian and click the check box to enable clamav scanning.
You should probably do the first clamav signature update at the command line of pfsense.

4.  Configure dansguardian.

5.  Configure the pfsense firewall so that selected machines on the LAN get HTTP through dansguardian.

If there is some new bug that would break this I wouldn't be aware of it.  when my kids got older I deactivated net-nanny.

MrGlasspoole

I really tried already allot and everything i found here but nothing works.
I also tried this: http://egoncalves.com.br/pfsense/pfsense-squid3-dev-clamav-i386/
But I'm on x64 and there I can't find a clwarn.cgi

Also in Dansguardian ClamAV does not start.

kejianshi

Hmmm.  That doesn't look like the stable release of squid to me…

Cino

I must be lucky then.. I have it working using squid3-dev 3.3.10 pkg 2.2.6 on i386… Of course I can't remember if I had to do some work around...

Come to think of it, I think I may had to change folder permissions /var/log/c-icap and /var/log/clamav to be clamav:wheel and make sure clwarn.cgi is browser accessible

Just did a test to make sure its still working:

SquidClamAv 6.10: Virus detected!

The requested URL http://www.eicar.org/download/eicar.com.txt contains a virus
Virus name: Eicar-Test-Signature

This file cannot be downloaded.

Origin: 192.168.0.101 / -

Powered by SquidClamAv 6.10.

MrGlasspoole

@Cino:

I must be lucky then.. I have it working using squid3-dev 3.3.10 pkg 2.2.6 on i386…

As i wrote I'm on x64 and the folder creation and permission stuff is shown in the link and something i tried.

But i can't execute freshclam cause there is no clwarn.cgi on my system.
And as the forum searchs show - I'm not the only one with this problems.

kejianshi

Cino - Cool.  Then its possible with squid3 as well.

At the time that I tried it I had issues with that and no particular need for squid 3 over 2.

But its good to know its possible.

kejianshi

You took a look at this already?

http://egoncalves.com.br/pfsense/pfsense-squid3-dev-clamav-i386/

MrGlasspoole

@Thats the link i was talking about and i posted above ;D

kejianshi

Hmmmm…

Sorry.  I guess I'm not helping.
My next move might be to wipe the box and start fresh following that guide on a fresh install.

That will be a controversial suggestion.

Cino

freshclam only updates the virus definitions. From what I can tell, the package wasn't setup to enable this for some reason but I was able to get it run.

edit /usr/pbi/squid-i386/etc/freshclam.conf to your liking. then run this from the cmdline

/usr/pbi/squid-i386/bin/freshclam -d /usr/pbi/squid-i386/etc/freshclam.conf

Auto start on reboots, create file /usr/local/etc/rc.d/freshclam.sh with 755

#!/bin/sh
# This file was automatically generated
# by the pfSense service handler.

rc_start() {
	/usr/pbi/squid-i386/bin/freshclam -d /usr/pbi/squid-i386/etc/freshclam.conf
}

rc_stop() {
	killall freshclam
}

case $1 in
	start)
		rc_start
		;;
	stop)
		rc_stop
		;;
	restart)
		rc_stop
		rc_start
		;;
esac

I copied /usr/pbi/squid-i386/libexec/squidclamav/clwarn.cgi to /usr/local/www/clwarn.cgi

adjust squid-i386 to squid-amd64 if your running amd64

Cino

i haven't tried it on amd64… It could be that the binaries are compiled run if you founded http://egoncalves.com.br/pfsense/pfsense-squid3-dev-clamav-i386/ cause that how-to looks basically what I did to get it to run..