Squid ClamAV Not Reporting Virus'

rcooper

Ok…I wiped my drive and installed a fresh pfSense 2.3.2-RELEASE (amd64). I do not have Snort installed at this time. I installed Squid and setup with no issues. I did notice this - in the General tab, if I don't enable the Transparent HTTP Proxy, I am able to download the http eicar virus test files. If I enable the Transparent HTTP Proxy, I get the "Server not found" error page when trying to download the http eicar virus test files. I've attached screenshots of the General, Local Cache, and Antivirus pages. Maybe you can find something that I've completely missed.

I check the thread you posted. The process seems quite involved; not that I can't do it. It's a bit of work to get it to work correctly.

Hey I am just wondering how you guys done the warning for a virus I have it set up but would like to see a page with a warning like your showing newuser 192.168.1.1/ just wondering myself is that something that's already there or did you make it?

Robert

chudak

@newUser2pfSense:

Well, I've wiped my drive and installed and configured once more. I'm back to where I was. The http eicar test files get blocked (without the warning page we are looking for) and this time the eicar https test files get this reply with the SSL Man In the Middle Filtering enabled:

Your connection is not secure

The owner of secure.eicar.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

Interestingly, I had SSL Man In the Middle Filtering enabled on my first install and the https eicar test files were blocked; I didn't receive the above message at that time. Odd that I'm receiving that message now.

@PlowHouse @newUser2pfSense

trying to follow your thread but with no success. Having the same issue with AV and wonder if you could summarize your findings/suggestions in short form?

Thx in advance!

mtarbox

I decided to test mine and it too is not triggering the warning or the blocked pages.
I am not using HTTPS/SSL Interception, but I would expect it to block the http files.
I've uninstalled squid, rebooted, and then re-installed squid, however still no dice.

2.4.2-RELEASE (amd64)
built on Mon Nov 20 08:12:56 CST 2017
FreeBSD 11.1-RELEASE-p4

c-icap and clamd both show a green light status.

C-ICAP Server Table shows as empty, even after downloading the eicar test file which it doesn't catch.

And upon further discovery on the web, this was my solution. Not sure if it is correct, but it is once again working. https://www.ceos3c.com/2017/06/23/install-squid-clamav-pfsense-2-3-3/ except I did not have to set the proxy on my browser since it was already in transparent mode.

So it makes me wonder what exactly I did to knock c-icap offline and not scan traffic, even though it was showing the green light status. I can't remember testing it after updating to 2.4.2, or even the prior release.

chudak

No sure why we need FW rule it used to work before w/o it?

Tried as was suggested by @mtarbox https://www.ceos3c.com/2017/06/23/install-squid-clamav-pfsense-2-3-3/ and still no love

??!!

chudak

If I were to guess I'd say that Transparent Proxy Settings stopped working roughly at the time of upgrading to 2.4.1

Impatient

I don't get the response page but it is blocked and I don't use a firewall rule.

I have squid setup with mitm and transparent.

When I check the real time tab the (clamd table) show's the eicar file is found instream
and also the C-ICAP server is showing that it generated a response page even though
none appeared.

I had just assumed it was a conflict between one of the other package's I have installed.

Impatient

@Impatient:

I don't get the response page but it is blocked and I don't use a firewall rule.

I have squid setup with mitm .

When I check the real time tab the (clamd table) show's the eicar file is found instream
and also the C-ICAP server is showing that it generated a response page even though
none appeared.

I had just assumed it was a conflict between one of the other package's I have installed.

Just updated squid to 4.42_1 and I am now getting the response page with http and https.

ekoo

not sure if its been posted before.

found on Github. https://github.com/darold/squidclamav/issues/42

Hi Yuri,

Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

So to clear you cache proceed as follow:

Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.

Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.

Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.

Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

Works fine, pfsense is a great product.

Capture.JPG_thumb

chudak

@ekoo:

not sure if its been posted before.

found on Github. https://github.com/darold/squidclamav/issues/42

Hi Yuri,

Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

So to clear you cache proceed as follow:

Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.

Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.

Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.

Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

Works fine, pfsense is a great product.

The only problem it did not work !!!

ekoo

@chudak:

The only problem it did not work !!!

it worked for me… running 2.4.2p1
clicked on the eicar links multiple times.......

Capture.JPG_thumb

chudak

@ekoo:

@chudak:

The only problem it did not work !!!

it worked for me… running 2.4.2p1
clicked on the eicar links multiple times.......

Interesting, what did you do? and it did not work before 2.4.2p1 ?

Thx

ekoo

@chudak:

Interesting, what did you do? and it did not work before 2.4.2p1 ?

Thx

i did exact those 4 steps… all thru "command promp" webGUI page.

I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

Once the backup file was restored, I could download all the HTTP EICAR files no problem.

then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

http://www.eicar.org/85-0-download.html

chudak

@ekoo:

@chudak:

Interesting, what did you do? and it did not work before 2.4.2p1 ?

Thx

i did exact those 4 steps… all thru "command promp" webGUI page.

I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

Once the backup file was restored, I could download all the HTTP EICAR files no problem.

then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

http://www.eicar.org/85-0-download.html

Oops you are right, works for me too now!!!

So seems like 2.4.2-RELEASE-p1 fixed it (and last time I tried on previous version).

Thanks :)

newUser2pfSense

I'm now on pfSense:
2.4.2-RELEASE-p1
FreeBSD 11.1-RELEASE-p6

Using a Mac mini and MacBook Pro both using Firefox to test the EICAR HTTP files, I completed the 4 steps, twice, and I can still download the HTTP files. I haven't configured for HTTPS yet.

Another interesting factoid…Using Debian 9 Stretch Linux with Firefox installed, I couldn't download the HTTP files but I still didn't receive the red colored virus message.