Squid ClamAV antivirus not working properly

pimmes111

Sorry for the late reply. I've completely removed squidguard and rebooted the firewall, but I got the same response. I've tried with Google Chrome as well and got a NXDOMAIN error (see attached screenshot). Is thh "localdomain" configuration causing this problem and is a valid domain required?

Or what issue are you referring to a year ago in the Squid package?

Impatient

Download the test file while checking the clamd table log to see if it is caught instream.

pimmes111

It is being caught instream:

Impatient

That indicate's clamav is detecting the test file but isn't logging it properly.

I checked my setup and receive the same, Found instream with no default block page and it is not logged in either the C-ICAP Virus Table or the dashboard widget.

Perhap's someone else will check on this that has more knowledge.

JonathanLee

@impatient hello I am having the same issue currently. I have the proxy running and https and http in transparent mode with splice all. It works certificates are installed on all devices. Clamav for me only works with HTTP downloads even when https SSL intercept is running. The test file only gets blocked on http.

Did you guys ever find a resolve for this?

https://forum.netgate.com/topic/168812/squid-c-icap-virus-table-malware-virus-test-file-in-http-caught?_=1641529034653

amisbievre

I think the point comes from the transparent proxy and MITM mode. If it's set on "Splice All" the antivirus will not block viruses but only log them.

JonathanLee

@amisbievre

I have it set to custom and it will now catch both http and https test viruses. I tested and researched some different settings. The certificate had to be created with Squid and used that way however.

Screen Shot 2022-10-29 at 10.54.00 PM.png
(IMAGE: Custom used)

Screen Shot 2022-10-29 at 10.54.13 PM.png
(Image Advanced options)
Take notice on the Amazon fire and Xbox I have the firewall set to use splice all for those static LAN IP addresses. The other devices that can use the certificates use peak step1 all slice only for my nosslintercept list of IP addresses and a file I created with URLS I do not want ssl intercepted.

Screen Shot 2022-10-29 at 10.54.42 PM.png
(Image: Custom made URL splice file)

JonathanLee

@amisbievre

Now ClamAV catches both HTTPS and HTTP test virus

Screen Shot 2022-10-29 at 11.02.49 PM.png
(IMAGE: HTTPS Virus test successful) Squid Blocks them notice it states HTTPS now in the error

Screen Shot 2022-10-29 at 11.04.40 PM.png

Reference how to install the Squid certificate I had to generate it in the command line and load it into the Pfsense

This works for version 22.05 better when you load the certificate.

Check it out Ref: https://forum.it-monkey.net/index.php?topic=23.0

This site had the best walk through with setting this up outside of the advanced options.

amisbievre

@jonathanlee

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.

amisbievre

My problem with this is the need of a whitelist. I curruntly don't know how to have something like "whitelist all except blacklist and pages scaned with a virus" I don't use squidguard but PFBLockerng-devel witch is in my opinion better.
It should be a regex like ^.* minus blacklist but I don't see anything on how to do this properly.

I have a thread about this: https://forum.netgate.com/topic/175557/squid-clamav-mitm-custom-setting?_=1667128733894