Squid ClamAV antivirus not working properly

  • Hi, I've recently installed my pfsense firewall (2.4.4-RELEASE-p1) with the Squid Proxy Server and Squidguard Proxy Filter plugins. My cache seems to be working fine, I see hits/misses/etc. and also HTTP and HTTPS with Squidguard works fine. I can block categories for both HTTP and HTTPS sites so SSL MITM is working fine.

    I fllowed the steps on this page, the only difference is I'm using a transparent proxy:

    When I tried downloading the Eicar test file (both HTTP and HTTPS) from https://www.eicar.org/?page_id=3950 I'm getting a error page, see attachment. I'm not getting the ClamAV page and also I'm not getting any logs in the C-ICAP Virus Table, see attachment.

    When I disable the antivirus I can download the HTTP and HTTPS files, so ClamAV is doing something by showing the error page, but not what I'm expecting. Does anyone have a solution?


  • You can see by the C-ICAP Server Table log that the response page was called.
    What other package's do you have installed?

  • I have installed Lightsquid, Squid and Squidguard, nothing else. I do have a cluster setup with CARP but I don't see how this should affect this behaviour.

    I do see the response page being called, also by the URL when I try downloading the testfile which tries to redirect to squid_clwarn.php

  • You might try disabling squid-guard and reboot firewall and check to see if the clam block page show's correctly.
    If it doesn't it could be the same issue that showed up a year or so ago in the squid package.

  • Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?

    Or what issue are you referring to a year ago in the Squid package?


  • Download the test file while checking the clamd table log to see if it is caught instream.

  • It is being caught instream:


  • That indicate's clamav is detecting the test file but isn't logging it properly.

    I checked my setup and receive the same, Found instream with no default block page and it is not logged in either the C-ICAP Virus Table or the dashboard widget.

    Perhap's someone else will check on this that has more knowledge.

Log in to reply