Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is Squids ClamAV HTTPS scanning broken?

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 5 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AR15USR
      last edited by

      Myself and I know of a few others here are trying to get Squid with explicit/wpad setup and running, which seems to be working for most. However, a reoccurring theme is that ClamAV scans the HTTP traffic but not the HTTPS traffic.

      Before I rack my brain on this I'd like to know if this is a known issue? Is this ability broken? Seems its not working for people. Example: https://forum.pfsense.org/index.php?topic=112335.0

      Or is there another way it needs to be done to achieve HTTPS virus scanning? MITM?

      Thanks

      pfSense 2.3 I should add..


      2.6.0-RELEASE

      1 Reply Last reply Reply Quote 0
      • E Offline
        exograpix
        last edited by

        No its not working, but I think it is understandable due to MITM vs WPAD concept.

        1 Reply Last reply Reply Quote 0
        • A Offline
          AR15USR
          last edited by

          Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.


          2.6.0-RELEASE

          1 Reply Last reply Reply Quote 0
          • A Offline
            aGeekhere
            last edited by

            How often are real virus files sent by https? I cannot think you any examples.

            Never Fear, A Geek is Here!

            1 Reply Last reply Reply Quote 0
            • A Offline
              asterix
              last edited by

              @AR15USR:

              Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.

              It beats the purpose of having WPAD if certs need to be installed on all local devices.

              1 Reply Last reply Reply Quote 0
              • A Offline
                AR15USR
                last edited by

                @Asterix:

                @AR15USR:

                Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.

                It beats the purpose of having WPAD if certs need to be installed on all local devices.

                Yes thats understood. The point is achieving https scanning, which I now know works when using the MITM option..


                2.6.0-RELEASE

                1 Reply Last reply Reply Quote 0
                • N Offline
                  Nachtfalke
                  last edited by

                  Hi,

                  virus scanning ist working.

                  It is working for TRANSPARENT mode for http and https
                  It is working for NON-TRANSPARENT mode for http and https
                  It is working for NON-TRANSPARENT mode for http and https with WPAD

                  There is no reason why it should not work with any of these options because anything which is going through squid - no matter if it is https or http - will be internally forwarded via c-icap to clamav/Antivirus.
                  I tested all these three options (transparent, non-transparent and non-transparent with WPAD) on the latest pfsense version 2.3.1_5 and with the latest squid package.

                  So if it is not working for you it is a configuration problem of your environment or your pfsense.

                  • So first thing is to get squid working with http and https, no matter if transparent, non-transparent or non-transparent with wpad
                  • Then disable harddisk caching or at least clear you squid disk cache
                  • Then enable AntiVirus and then it should find all 4 versions of the eicar webpage in either http or https. Use the official website: http://www.eicar.org/85-0-Download.html
                  • Then enable other features like disk cache again, squidguard or what you want.

                  Regards

                  1 Reply Last reply Reply Quote 0
                  • A Offline
                    AR15USR
                    last edited by

                    @Nachtfalke:

                    Hi,

                    virus scanning ist working.

                    It is working for TRANSPARENT mode for http and https
                    It is working for NON-TRANSPARENT mode for http and https
                    It is working for NON-TRANSPARENT mode for http and https with WPAD

                    There is no reason why it should not work with any of these options because anything which is going through squid - no matter if it is https or http - will be internally forwarded via c-icap to clamav/Antivirus.
                    I tested all these three options (transparent, non-transparent and non-transparent with WPAD) on the latest pfsense version 2.3.1_5 and with the latest squid package.

                    So if it is not working for you it is a configuration problem of your environment or your pfsense.

                    • So first thing is to get squid working with http and https, no matter if transparent, non-transparent or non-transparent with wpad
                    • Then disable harddisk caching or at least clear you squid disk cache
                    • Then enable AntiVirus and then it should find all 4 versions of the eicar webpage in either http or https. Use the official website: http://www.eicar.org/85-0-Download.html
                    • Then enable other features like disk cache again, squidguard or what you want.

                    Regards

                    Well, in my test it would not alert on the Eicar https file without having explicit mode, MITM, and certs installed on the local machine(s). It did not alert via the wpad method. If you have a different experience please post up your settings to make this happen, would be great to see. Maybe make a guide?

                    BTW Squid would filter the https in any method, but thats not the same as scanning the https..


                    2.6.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      Nachtfalke
                      last edited by

                      Hi,

                      in my C-ICAP logs I found something like this for every of the 8 files:

                      Virus redirection: http://pfSense.oberndorf.ca/squid_clwarn.php?url=https://secure.eicar.org/eicarcom2.zip&source=192.168.10.10&user=-&virus=stream: Eicar-Test-Signature FOUND.

                      So you probably have to make sure that:

                      1.) your pfsense is reachable via http on port 80 to show you the redirect page - or you configure something else in Antivirus
                      2.) Antivirus is not scanning cached content again by default. ClamAV assumes, that all files in the squid cache were scanned in the past and are clean. So if you opended the eicar files in the past they went into the squid cache and will never be scanned again and so clamav will never kick in.
                      3.) Of course you need to install the CA certificate on every client machine if you do HTTPS / SSL INTERCEPTION.
                      4.) I only tested this with pfsense using HTTP on port 80. Not with https and not with custom ports.
                      5.) If http and https is going through squid and you can see it in "Real Time" tab in squid, then your squid config is OK. Then you need to make sure Antivirus is running.
                      6.) Update Antivirus Database an make sure it updated successfull in the "real Time" tab, too. Without that it will probably not work.

                      Instead of wasting my time making a guide it could be more helpful that you post your squid config, antivirus config with screenshots and post your clients browser proxy config and proxy.pac file.
                      Best would be with screenshots. Posting the relevant firewall rules for one interface.

                      Regards

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.