Squid ClamAV antivirus not working properly

pimmes111 · Dec 6, 2018, 1:24 PM

Hi, I've recently installed my pfsense firewall (2.4.4-RELEASE-p1) with the Squid Proxy Server and Squidguard Proxy Filter plugins. My cache seems to be working fine, I see hits/misses/etc. and also HTTP and HTTPS with Squidguard works fine. I can block categories for both HTTP and HTTPS sites so SSL MITM is working fine.

I fllowed the steps on this page, the only difference is I'm using a transparent proxy:
https://www.ceos3c.com/pfsense/install-squid-clamav-pfsense-2-3-3/

When I tried downloading the Eicar test file (both HTTP and HTTPS) from https://www.eicar.org/?page_id=3950 I'm getting a error page, see attachment. I'm not getting the ClamAV page and also I'm not getting any logs in the C-ICAP Virus Table, see attachment.

When I disable the antivirus I can download the HTTP and HTTPS files, so ClamAV is doing something by showing the error page, but not what I'm expecting. Does anyone have a solution?

🔒 Log in to view
🔒 Log in to view

Impatient · Dec 9, 2018, 3:11 AM

You can see by the C-ICAP Server Table log that the response page was called.
What other package's do you have installed?

pimmes111 · Dec 9, 2018, 7:57 AM

I have installed Lightsquid, Squid and Squidguard, nothing else. I do have a cluster setup with CARP but I don't see how this should affect this behaviour.

I do see the response page being called, also by the URL when I try downloading the testfile which tries to redirect to squid_clwarn.php

Impatient · Dec 9, 2018, 9:07 PM

You might try disabling squid-guard and reboot firewall and check to see if the clam block page show's correctly.
If it doesn't it could be the same issue that showed up a year or so ago in the squid package.

pimmes111 · Dec 17, 2018, 6:47 PM

Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?

Or what issue are you referring to a year ago in the Squid package?

🔒 Log in to view

Impatient · Dec 18, 2018, 12:20 AM

Download the test file while checking the clamd table log to see if it is caught instream.

pimmes111 · Dec 30, 2018, 6:54 AM

It is being caught instream:

🔒 Log in to view

Impatient · Jan 7, 2022, 4:20 AM

That indicate's clamav is detecting the test file but isn't logging it properly.

I checked my setup and receive the same, Found instream with no default block page and it is not logged in either the C-ICAP Virus Table or the dashboard widget.

Perhap's someone else will check on this that has more knowledge.

JonathanLee · Jan 7, 2022, 4:21 AM

@impatient hello I am having the same issue currently. I have the proxy running and https and http in transparent mode with splice all. It works certificates are installed on all devices. Clamav for me only works with HTTP downloads even when https SSL intercept is running. The test file only gets blocked on http.

Did you guys ever find a resolve for this?

https://forum.netgate.com/topic/168812/squid-c-icap-virus-table-malware-virus-test-file-in-http-caught?_=1641529034653

amisbievre · Oct 30, 2022, 5:47 AM

I think the point comes from the transparent proxy and MITM mode. If it's set on "Splice All" the antivirus will not block viruses but only log them.

JonathanLee · Oct 30, 2022, 6:01 AM

@amisbievre

I have it set to custom and it will now catch both http and https test viruses. I tested and researched some different settings. The certificate had to be created with Squid and used that way however.

🔒 Log in to view
(IMAGE: Custom used)

🔒 Log in to view
(Image Advanced options)
Take notice on the Amazon fire and Xbox I have the firewall set to use splice all for those static LAN IP addresses. The other devices that can use the certificates use peak step1 all slice only for my nosslintercept list of IP addresses and a file I created with URLS I do not want ssl intercepted.

🔒 Log in to view
(Image: Custom made URL splice file)

JonathanLee · Oct 30, 2022, 6:17 AM

@amisbievre

Now ClamAV catches both HTTPS and HTTP test virus

🔒 Log in to view
(IMAGE: HTTPS Virus test successful) Squid Blocks them notice it states HTTPS now in the error

🔒 Log in to view

Reference how to install the Squid certificate I had to generate it in the command line and load it into the Pfsense

This works for version 22.05 better when you load the certificate.

Check it out Ref: https://forum.it-monkey.net/index.php?topic=23.0

This site had the best walk through with setting this up outside of the advanced options.

amisbievre · Oct 30, 2022, 10:16 AM

@jonathanlee

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.

amisbievre · Oct 30, 2022, 11:20 AM

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.

I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894