Is Squids ClamAV HTTPS scanning broken?



  • Myself and I know of a few others here are trying to get Squid with explicit/wpad setup and running, which seems to be working for most. However, a reoccurring theme is that ClamAV scans the HTTP traffic but not the HTTPS traffic.

    Before I rack my brain on this I'd like to know if this is a known issue? Is this ability broken? Seems its not working for people. Example: https://forum.pfsense.org/index.php?topic=112335.0

    Or is there another way it needs to be done to achieve HTTPS virus scanning? MITM?

    Thanks

    pfSense 2.3 I should add..



  • No its not working, but I think it is understandable due to MITM vs WPAD concept.



  • Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.



  • How often are real virus files sent by https? I cannot think you any examples.



  • @AR15USR:

    Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.

    It beats the purpose of having WPAD if certs need to be installed on all local devices.



  • @Asterix:

    @AR15USR:

    Actually I ran a test and it works with MITM activated which makes sense as it needs to decrypt the traffic to be able to scan it. One just has to install the certs on each local computer/device.

    It beats the purpose of having WPAD if certs need to be installed on all local devices.

    Yes thats understood. The point is achieving https scanning, which I now know works when using the MITM option..



  • Hi,

    virus scanning ist working.

    It is working for TRANSPARENT mode for http and https
    It is working for NON-TRANSPARENT mode for http and https
    It is working for NON-TRANSPARENT mode for http and https with WPAD

    There is no reason why it should not work with any of these options because anything which is going through squid - no matter if it is https or http - will be internally forwarded via c-icap to clamav/Antivirus.
    I tested all these three options (transparent, non-transparent and non-transparent with WPAD) on the latest pfsense version 2.3.1_5 and with the latest squid package.

    So if it is not working for you it is a configuration problem of your environment or your pfsense.

    • So first thing is to get squid working with http and https, no matter if transparent, non-transparent or non-transparent with wpad
    • Then disable harddisk caching or at least clear you squid disk cache
    • Then enable AntiVirus and then it should find all 4 versions of the eicar webpage in either http or https. Use the official website: http://www.eicar.org/85-0-Download.html
    • Then enable other features like disk cache again, squidguard or what you want.

    Regards



  • @Nachtfalke:

    Hi,

    virus scanning ist working.

    It is working for TRANSPARENT mode for http and https
    It is working for NON-TRANSPARENT mode for http and https
    It is working for NON-TRANSPARENT mode for http and https with WPAD

    There is no reason why it should not work with any of these options because anything which is going through squid - no matter if it is https or http - will be internally forwarded via c-icap to clamav/Antivirus.
    I tested all these three options (transparent, non-transparent and non-transparent with WPAD) on the latest pfsense version 2.3.1_5 and with the latest squid package.

    So if it is not working for you it is a configuration problem of your environment or your pfsense.

    • So first thing is to get squid working with http and https, no matter if transparent, non-transparent or non-transparent with wpad
    • Then disable harddisk caching or at least clear you squid disk cache
    • Then enable AntiVirus and then it should find all 4 versions of the eicar webpage in either http or https. Use the official website: http://www.eicar.org/85-0-Download.html
    • Then enable other features like disk cache again, squidguard or what you want.

    Regards

    Well, in my test it would not alert on the Eicar https file without having explicit mode, MITM, and certs installed on the local machine(s). It did not alert via the wpad method. If you have a different experience please post up your settings to make this happen, would be great to see. Maybe make a guide?

    BTW Squid would filter the https in any method, but thats not the same as scanning the https..



  • Hi,

    in my C-ICAP logs I found something like this for every of the 8 files:

    Virus redirection: http://pfSense.oberndorf.ca/squid_clwarn.php?url=https://secure.eicar.org/eicarcom2.zip&source=192.168.10.10&user=-&virus=stream: Eicar-Test-Signature FOUND.

    So you probably have to make sure that:

    1.) your pfsense is reachable via http on port 80 to show you the redirect page - or you configure something else in Antivirus
    2.) Antivirus is not scanning cached content again by default. ClamAV assumes, that all files in the squid cache were scanned in the past and are clean. So if you opended the eicar files in the past they went into the squid cache and will never be scanned again and so clamav will never kick in.
    3.) Of course you need to install the CA certificate on every client machine if you do HTTPS / SSL INTERCEPTION.
    4.) I only tested this with pfsense using HTTP on port 80. Not with https and not with custom ports.
    5.) If http and https is going through squid and you can see it in "Real Time" tab in squid, then your squid config is OK. Then you need to make sure Antivirus is running.
    6.) Update Antivirus Database an make sure it updated successfull in the "real Time" tab, too. Without that it will probably not work.

    Instead of wasting my time making a guide it could be more helpful that you post your squid config, antivirus config with screenshots and post your clients browser proxy config and proxy.pac file.
    Best would be with screenshots. Posting the relevant firewall rules for one interface.

    Regards