Squid ClamAV antivirus not working properly
Hi, I've recently installed my pfsense firewall (2.4.4-RELEASE-p1) with the Squid Proxy Server and Squidguard Proxy Filter plugins. My cache seems to be working fine, I see hits/misses/etc. and also HTTP and HTTPS with Squidguard works fine. I can block categories for both HTTP and HTTPS sites so SSL MITM is working fine.
I fllowed the steps on this page, the only difference is I'm using a transparent proxy:
When I tried downloading the Eicar test file (both HTTP and HTTPS) from https://www.eicar.org/?page_id=3950 I'm getting a error page, see attachment. I'm not getting the ClamAV page and also I'm not getting any logs in the C-ICAP Virus Table, see attachment.
When I disable the antivirus I can download the HTTP and HTTPS files, so ClamAV is doing something by showing the error page, but not what I'm expecting. Does anyone have a solution?
You can see by the C-ICAP Server Table log that the response page was called.
What other package's do you have installed?
I have installed Lightsquid, Squid and Squidguard, nothing else. I do have a cluster setup with CARP but I don't see how this should affect this behaviour.
I do see the response page being called, also by the URL when I try downloading the testfile which tries to redirect to squid_clwarn.php
You might try disabling squid-guard and reboot firewall and check to see if the clam block page show's correctly.
If it doesn't it could be the same issue that showed up a year or so ago in the squid package.
Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?
Or what issue are you referring to a year ago in the Squid package?
Download the test file while checking the clamd table log to see if it is caught instream.
It is being caught instream:
That indicate's clamav is detecting the test file but isn't logging it properly.
I checked my setup and receive the same, Found instream with no default block page and it is not logged in either the C-ICAP Virus Table or the dashboard widget.
Perhap's someone else will check on this that has more knowledge.