Squid ClamAV Not Reporting Virus'



  • Hello all…

    I have a full install of pfSense 2.3.2-RELEASE (amd64).  I have installed Squid from the Package Manager specifically to use the ClamAV antivirus.  I believe I have everything enabled to include the Squid Proxy.  As well, I'm able to update the virus definitions with no issues.

    Squid Version   3.5.19_1
    Antivirus    ClamAV 0.99.2    C-ICAP 0.4.3
    Scanner  SquidClamav 6.10

    The following services are all running:
    c-icap ICAP Inteface for Squid and ClamAV integration
    clamd ClamAV Antivirus
    squid Squid Proxy Server Service

    When I go to download an eicar virus test file, I'm able to download the file with no virus message displaying.  I thought SquidClamAV would show some kind of virus detected message and that the file cannot be downloaded.

    Would anyone happen to know what I might be doing incorrectly?  Any suggestions would be helpful.



  • It should be blocking the http EICAR files, if not something is not right. It wont block the https files unless you have MITM set up.



  • I'm able to download the eicar file(s) from http without receiving any virus messages.  I wanted to get the http resolved before I try to configure the https.

    I'm trying to figure out what is configured incorrectly.  Anyone have any ideas?



  • Post screenshots of your Antivirus settings panel. I'm no IT pro but I have it working and I'll see if I can help..



  • I'm back on my old enterprise network equipment until I can get this figured out.

    When I was initially testing the ClamAV antivirus with the http eicar virus test files, I didn't have my internet browser configured to use the proxy and I was able to download the files.

    When I configured my browser to use the proxy, I could see the traffic come across the proxy in real time.  The Firefox settings I used for the proxy are:
    HTTP Proxy:  192.168.1.1          Port:  3128
    I also configured the proxy for null caching as I'm not that interested in keeping any data in cache and configured Firefox not to keep any cache as well.

    After configuring my browser to use the proxy, I tried to download the http eicar virus test files and an error page appeared for all 4 of the files.  I can't remember the type of error page off the top of my head.  I didn't even get to a download prompt for any of the files.  Interestingly enough, the proxy real time network traffic didn't show the files as being infected as that part of the page was blank.  I didn't choose a redirect page for infected files so I thought I would get a default virus page and didn't.

    Since I'm back on my old equipment for the time being, I won't have any pics to post.  Thanks for the help though.



  • Sounds like it was working. Here are my settings on the Antivirus tab FYI:

    Enable
    Do Not Send
    Disabled
    (blank)
    Unchecked
    Checked
    Every 6 hours
    United States
    (blank)

    My C-ICAP - Virus Logs are currently showing 18 Virus blocked.

    People here recommend to set up Squid via the WPAD method and setting the clients to auto discovery, thats how I have done it as well.



  • Looking at the Antivirus tab shows my setup pretty much the same as yours.

    I've now setup the SSL Man In the Middle Filtering for https scanning.  It gives me the same error page for the 4 files as the http page does.  By the way, that error page is:

    Server not found

    Firefox can’t find the server at xyz.

    Check the address for typing errors such as ww.example.com instead of www.example.com
    If you are unable to load any pages, check your computer’s network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    I've left the Redirect URL field empty as it states:  Leave empty to use the default Squid/pfSense WebGUI URL.
    As you can tell by the above error message that I'm not getting a default URL, unless of course that is the default URL.  I was looking for something more along the lines of a red background with some kind of text that says you tried to download a virus infected file, the file's name, the IP and URL of the file, etc; something to that effect.

    My C-ICAP Virus Table | C-ICAP - Virus Logs are blank/empty, no messages at all.  It would seem that I would have some entries such as what yours shows.  That seems a little odd to me that it's blank.



  • If you enter the Block page manually does it work?

    http://yourpfsenseaddress/squid_clwarn.php

    Are you setting up your clients individually or using WPAD?

    The block page should look like this attachment




  • I did some searching yesterday and found the following posts:
    https://www.reddit.com/r/PFSENSE/comments/4eavs0/squid3clamav_redirecting_to_the_wrong_warnphp_url/
    https://www.reddit.com/r/PFSENSE/comments/3fcrhe/224_fresh_install_no_squidav/

    I tried the 2 following redirect URLs with no luck:
    http://pfsense/squid_clwarn.php
    http://192.168.1.1/squid_clwarn.php
    The block page you provided didn't come up for either.

    I'm just going to set my clients to auto detect the proxy settings.  It seems the easiest.

    I don't believe I've configured anything incorrectly.  Very odd.



  • Sounds like you need to do a remove/reinstall of Squid/Squidguard to me. Something is not right.

    Have Snort running? Its not blocking anything on your LAN is it?

    You will need to configure WPAD for your clients to be able to auto detect btw..

    Check out this thread for maybe more help:
    https://forum.pfsense.org/index.php?topic=112335.0



  • Ok…I wiped my drive and installed a fresh pfSense 2.3.2-RELEASE (amd64).  I do not have Snort installed at  this time.  I installed Squid and setup with no issues.  I did notice this - in the General tab, if I don't enable the Transparent HTTP Proxy, I am able to download the http eicar virus test files.  If I enable the Transparent HTTP Proxy, I get the "Server not found" error page when trying to download the http eicar virus test files.  I've attached screenshots of the General, Local Cache, and Antivirus pages.  Maybe you can find something that I've completely missed.

    I check the thread you posted.  The process seems quite involved; not that I can't do it.  It's a bit of work to get it to work correctly.

    ![Squid Proxy Server - General.png](/public/imported_attachments/1/Squid Proxy Server - General.png)
    ![Squid Proxy Server - General.png_thumb](/public/imported_attachments/1/Squid Proxy Server - General.png_thumb)
    ![Squid Proxy Server - Local Cache.png](/public/imported_attachments/1/Squid Proxy Server - Local Cache.png)
    ![Squid Proxy Server - Local Cache.png_thumb](/public/imported_attachments/1/Squid Proxy Server - Local Cache.png_thumb)
    ![Squid Proxy Server - Antivirus.png](/public/imported_attachments/1/Squid Proxy Server - Antivirus.png)
    ![Squid Proxy Server - Antivirus.png_thumb](/public/imported_attachments/1/Squid Proxy Server - Antivirus.png_thumb)



  • Does anyone know who maintains the Squid/ClamAV package?  Maybe they could take a look and see if there is anything in my setup that is incorrect.  Or would anyone else know what could be wrong???  I'm just a newbie to pfSense trying to get this working correctly.  Any more ideas at all?



  • I'm finding out a little more about squid and clamav.

    If you do a search on the following github site for "redirect", you'll find 2/3rds down the page, the 3rd match on my Firefox, information about URL redirection.  If you look in the cgi-bin directory as described, you can find the virus warning files:
    https://github.com/darold/squidclamav

    If you do a search in pfSense from Diagnostics | Command Prompt using the following command line text:  find / -name "clwarn.cgi" , you'll find the file is located here:  /usr/local/libexec/squidclamav/clwarn.cgi .  If you look in the /usr/local/libexec/squidclamav path, you can find all of the files that the github cgi-bin directory references.

    Interestingly enough, when I went to pfSense, Services | Squid Proxy Server | Antivirus, and chose the following Redirect URL: 
    http://192.168.1.1/cgi-bin/clwarn.cgi , the actual warning page appeared on the http eicar virus test file.  I thought my issue was fixed.  Nope, it's not.  For whatever reason, pfSense stopped using that url redirect after testing the http eicar test files a few more times to make sure it was going to work.  >:(



  • I'm finding out a little more about squid and clamav, too.
    Are you setting up your clients individually or using WPAD?



  • I'm setting up my clients individually for the https MITM; importing the CA into Firefox on each.  I'm then telling the browser to auto-detect the proxy settings.  Although I've read about it, I'm not really sure what WPAD is.

    I'm just trying to find the correct URL redirect in order for squidclamav to use the built-in virus/malware warning page (/cgi-bin/clwarn.cgi.en_EN).  I've tried everything that I can find in my searches with no luck.



  • I tried a redirect to my internal pfsense ip with the /squid_clwarn extension rather than the default redirect address and I noticed I was able to get the message working on IE but on Chrome the page says the site can't be reached. What's interesting is that on IE it uses the redirected IP address I used within the "Antivirus" settings however, Chrome reverts back to https://pfsense.localdomain/squid_clwarn.php…

    I attempted to clear my local cache to see if this would resolve the problem but it did not. From what I see in the logs and with the real-time monitor, its actually doing what its intended to do on both browsers. I'm just getting mixed results based on the browser of choice in regards to a message being displayed to the user via Chrome vs. IE. If there's another location the redirect address is stored then that's probably the root of my problem but until I figure out why Chrome gets the old https://pfsense.localdomain/squid_clwarn.php and not https://<ip_address>/squid_clwarn.php, it's just going to have to stay the way it is.

    Figured I'd share that here in case anyone else runs into this and has a solution.</ip_address>



  • PlowHouse…Thanks for the response.  Very informative.  Have you tried Firefox?



  • Just did, same result as Chrome. Interestingly enough, IE has stopped issuing me a warning now and reverted to using the old url rather than the IP re-direct I created. However, I tried downloading the file from a separate laptop and got a blocked notification on all three browsers. I was even blocked on my cell phone while connected to the wireless during my tests.

    I know the AV is doing it's job whether it's displaying a notification or not, but maybe the previous message where it cannot resolve DNS while it blocks the virus is something that just cached for my MAC or IP… I even went as far as enabling "Manual Configuration" - Load Advanced files - and replacing the redirect there with the IP redirect I have. Even after doing that the old URL is still what is shown on my laptop or phone but the AV notification displays. I doubt this is OS specific but the system that isn't receiving the alerts is Windows 10 while the laptop is Windows 8.1 and the phone is Android.

    I'm kind of stumped why the redirect isn't using the IP, because that works on it's own if I copy and paste that into any browser. Instead, pfSense keeps using https://pfsense.localdomain/squid_clwarn.php when it really should be https://<ip_address>/squid_clwarn.php...

    I think if I can figure out the root to why that IP isn't sticking it should work for your environment as well. Just to test, try using https://<ip_address>/squid_clwarn.php (or http://) on your firefox browser and see if the notification shows. At least you'll know that the contents its pulling that information to display the notification works. If I think of anything else I'll post it here.</ip_address></ip_address>



  • PlowHouse…As you suggested, I tried using https://<ip_address>/squid_clwarn.php and http://<ip_address>/squid_clwarn.php on my Firefox browser.  Both worked.  Good catch!

    So this is interesting...about a week and a half ago I added an interface for my wireless LAN on my pfSense box.  In the Squid General Settings, I made sure I highlighted my WLAN with the default that was already highlighted which is the LAN.  I then restarted my router.  I then went back to the EICAR site to attempt to download the virus test files from my LAN.  I couldn't reach the EICAR site for whatever reason but had connectivity to any other website I tried.  About two days later I attempted to go to the EICAR site again and it finally displayed.  I then tried to download all 8 of the virus test files and they weren't being blocked at all.  Very odd, especially when they were being blocked before the addition of the interface and before I couldn't reach EICAR.  I don't know if EICAR changed something in their test files or if the addition of the interface on pfSense changed something in my pfSense box.  I know I can't really use pfSense until this gets fixed.  I may wipe my drive and try a fresh installation again to see if I get the same results.

    I hope I don't anger the good people at pfSense, but, have you tried IPFire?  I don't want to move away from pfSense, and I'm a gold member, but I just need something that works.</ip_address></ip_address>



  • You may have not been able to connect to the eicar site because of local browser cache on the system and not necessarily because of squidav. One thing to mention about the AV is that I believe its only going to catch sites/files over http and not https unless you have ssl man-in-the-middle filtering on. So the top four files on the test download site should be blocked as long as AV is active on for you LAN and WLAN interfaces. However, the https files will most likely be permitted to go through as the AV filter has no visibility into the signatures of those files.

    As a test, I'd check to make sure you have the AV on for the LAN by selecting only the LAN interface in the "Proxy Interface/s" section of the Squid General settings, clear the browsing data/cache locally for the given test system, navigate to the eicar site and try to download any of the top eicar test files (only for http). On another tab I'd have the "real-time" monitor for squid open and you should see the files being blocked. Since you're testing the functionality of this setup I'd make sure wireless is off or insure it's only obtaining an address from the LAN rather than WLAN. Once you validate this is working I'd repeat the steps for WLAN. Let me know how you make out.



  • Well, I've wiped my drive and installed and configured once more.  I'm back to where I was.  The http eicar test files get blocked (without the warning page we are looking for) and this time the eicar https test files get this reply with the SSL Man In the Middle Filtering enabled:

    Your connection is not secure

    The owner of secure.eicar.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    Interestingly, I had SSL Man In the Middle Filtering enabled on my first install and the https eicar test files were blocked; I didn't receive the above message at that time.  Odd that I'm receiving that message now.



  • That's one way to go about troubleshooting something, just wipe the whole thing  :D

    BTW, I've never heard of IPFire but I may give it a shot. I don't believe anyone here is going to flame you for mentioning another product that is functional and worth the mention. Although that's just me, I'm always interested in hearing about other products that may have something different to offer.



  • I have this same issue but only with opera browser when turbo mode is enabled.
    Then browser can happily download Eicar test files and nothing detected in ClamAv logs.
    But if I disable turbo mode or use FF or Chrome then Clam works and detect eicar files.



  • @beavis:

    I have this same issue but only with opera browser when turbo mode is enabled.
    Then browser can happily download Eicar test files and nothing detected in ClamAv logs.

    Not surprising as Opera turbo mode compresses the data so all signature based AV intercepting the traffic is effectively made useless.

    If using Opera turbo mode, pray that Opera do the AV for you before compressing.



  • @newUser2pfSense:

    Ok…I wiped my drive and installed a fresh pfSense 2.3.2-RELEASE (amd64).  I do not have Snort installed at  this time.  I installed Squid and setup with no issues.  I did notice this - in the General tab, if I don't enable the Transparent HTTP Proxy, I am able to download the http eicar virus test files.  If I enable the Transparent HTTP Proxy, I get the "Server not found" error page when trying to download the http eicar virus test files.  I've attached screenshots of the General, Local Cache, and Antivirus pages.  Maybe you can find something that I've completely missed.

    I check the thread you posted.  The process seems quite involved; not that I can't do it.  It's a bit of work to get it to work correctly.

    Hey I am just wondering how you guys done the warning for a virus I have it set up but would like to see a page with a warning like your showing newuser 192.168.1.1/ just wondering myself is that something that's already there or did you make it?

    Robert



  • @newUser2pfSense:

    Well, I've wiped my drive and installed and configured once more.  I'm back to where I was.  The http eicar test files get blocked (without the warning page we are looking for) and this time the eicar https test files get this reply with the SSL Man In the Middle Filtering enabled:

    Your connection is not secure

    The owner of secure.eicar.org has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    Interestingly, I had SSL Man In the Middle Filtering enabled on my first install and the https eicar test files were blocked; I didn't receive the above message at that time.  Odd that I'm receiving that message now.

    @PlowHouse @newUser2pfSense

    trying to follow your thread but with no success.  Having the same issue with AV and wonder if you could summarize your findings/suggestions in short form?

    Thx in advance!



  • I decided to test mine and it too is not triggering the warning or the blocked pages.
    I am not using HTTPS/SSL Interception, but I would expect it to block the http files.
    I've uninstalled squid, rebooted, and then re-installed squid, however still no dice.

    2.4.2-RELEASE (amd64)
    built on Mon Nov 20 08:12:56 CST 2017
    FreeBSD 11.1-RELEASE-p4

    c-icap and clamd both show a green light status.

    C-ICAP Server Table shows as empty, even after downloading the eicar test file which it doesn't catch.

    And upon further discovery on the web, this was my solution. Not sure if it is correct, but it is once again working. https://www.ceos3c.com/2017/06/23/install-squid-clamav-pfsense-2-3-3/ except I did not have to set the proxy on my browser since it was already in transparent mode.

    So it makes me wonder what exactly I did to knock c-icap offline and not scan traffic, even though it was showing the green light status. I can't remember testing it after updating to 2.4.2, or even the prior release.



  • No sure why we need FW rule it used to work before w/o it?

    Tried as was suggested by @mtarbox https://www.ceos3c.com/2017/06/23/install-squid-clamav-pfsense-2-3-3/ and still no love

    ??!!



  • If I were to guess I'd say that Transparent Proxy Settings stopped working roughly at the time of upgrading to 2.4.1



  • I don't get the response page but it is blocked and I don't use a firewall rule.

    I have squid setup with mitm and transparent.

    When I check the real time tab the (clamd table) show's the eicar file is found instream
    and also the C-ICAP server is showing that it generated a response page even though
    none appeared.

    I had just assumed it was a conflict between one of the other package's I have installed.



  • @Impatient:

    I don't get the response page but it is blocked and I don't use a firewall rule.

    I have squid setup with mitm .

    When I check the real time tab the (clamd table) show's the eicar file is found instream
    and also the C-ICAP server is showing that it generated a response page even though
    none appeared.

    I had just assumed it was a conflict between one of the other package's I have installed.

    Just updated squid to 4.42_1 and I am now getting the response page with http and https.



  • not sure if its been posted before.

    found on Github. https://github.com/darold/squidclamav/issues/42

    Hi Yuri,

    Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

    So to clear you cache proceed as follow:

    1. Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.
    2. Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.
    3. Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.
    4. Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

    Works fine, pfsense is a great product.




  • @ekoo:

    not sure if its been posted before.

    found on Github. https://github.com/darold/squidclamav/issues/42

    Hi Yuri,

    Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

    So to clear you cache proceed as follow:

    1. Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.
    2. Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.
    3. Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.
    4. Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

    Works fine, pfsense is a great product.

    The only problem it did not work !!!



  • @chudak:

    The only problem it did not work !!!

    it worked for me… running 2.4.2p1
    clicked on the eicar links multiple times.......




  • @ekoo:

    @chudak:

    The only problem it did not work !!!

    it worked for me… running 2.4.2p1
    clicked on the eicar links multiple times.......

    Interesting, what did you do?  and it did not work before 2.4.2p1 ?

    Thx



  • @chudak:

    Interesting, what did you do?  and it did not work before 2.4.2p1 ?

    Thx

    i did exact those 4 steps… all thru "command promp" webGUI page.

    I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

    Once the backup file was restored, I could download all the HTTP EICAR files no problem.

    then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

    http://www.eicar.org/85-0-download.html



  • @ekoo:

    @chudak:

    Interesting, what did you do?  and it did not work before 2.4.2p1 ?

    Thx

    i did exact those 4 steps… all thru "command promp" webGUI page.

    I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

    Once the backup file was restored, I could download all the HTTP EICAR files no problem.

    then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

    http://www.eicar.org/85-0-download.html

    Oops you are right, works for me too now!!!

    So seems like 2.4.2-RELEASE-p1 fixed it (and last time I tried on previous version).

    Thanks :)



  • I'm now on pfSense:
    2.4.2-RELEASE-p1
    FreeBSD 11.1-RELEASE-p6

    Using a Mac mini and MacBook Pro both using Firefox to test the EICAR HTTP files, I completed the 4 steps, twice, and I can still download the HTTP files.  I haven't configured for HTTPS yet.

    Another interesting factoid…Using Debian 9 Stretch Linux with Firefox installed, I couldn't download the HTTP files but I still didn't receive the red colored virus message.


Log in to reply