Squid ClamAV antivirus not working properly



  • Hi, I've recently installed my pfsense firewall (2.4.4-RELEASE-p1) with the Squid Proxy Server and Squidguard Proxy Filter plugins. My cache seems to be working fine, I see hits/misses/etc. and also HTTP and HTTPS with Squidguard works fine. I can block categories for both HTTP and HTTPS sites so SSL MITM is working fine.

    I fllowed the steps on this page, the only difference is I'm using a transparent proxy:
    https://www.ceos3c.com/pfsense/install-squid-clamav-pfsense-2-3-3/

    When I tried downloading the Eicar test file (both HTTP and HTTPS) from https://www.eicar.org/?page_id=3950 I'm getting a error page, see attachment. I'm not getting the ClamAV page and also I'm not getting any logs in the C-ICAP Virus Table, see attachment.

    When I disable the antivirus I can download the HTTP and HTTPS files, so ClamAV is doing something by showing the error page, but not what I'm expecting. Does anyone have a solution?

    0_1544098006960_Capture1.PNG
    0_1544098026839_Capture2.PNG



  • You can see by the C-ICAP Server Table log that the response page was called.
    What other package's do you have installed?



  • I have installed Lightsquid, Squid and Squidguard, nothing else. I do have a cluster setup with CARP but I don't see how this should affect this behaviour.

    I do see the response page being called, also by the URL when I try downloading the testfile which tries to redirect to squid_clwarn.php



  • You might try disabling squid-guard and reboot firewall and check to see if the clam block page show's correctly.
    If it doesn't it could be the same issue that showed up a year or so ago in the squid package.



  • Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?

    Or what issue are you referring to a year ago in the Squid package?

    0_1545072411739_Capture4.PNG



  • Download the test file while checking the clamd table log to see if it is caught instream.