• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Icap server not scanning eicar files correctly

Scheduled Pinned Locked Moved pfSense Packages
3 Posts 2 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    fran.rukavina
    last edited by Dec 16, 2022, 5:11 PM

    Hi all,

    I have an issue with icap scanning an eicar file and not flagging it as a virus. The infrastructure is this. I have a WAF that sends a request to icap to scan a file when I upload it. In the WAF i have configured to send requests to icap://<SERVER_IP>:1344/squid_clamav . Icap is installed on Pfsense community 2.6, I've installed the squid package from the Package Manager UI and I pretty much use the default configuration.

    In the squid web UI, I have enabled Squid Antivirus check using clamav, and in the squid.conf I can see that icap is enabled: Bildschirmfoto 2022-12-16 um 17.37.47.png

    In the c-icap.conf I've setup debuglevel : 3 and in the logs I only get things like the following :

    Bildschirmfoto 2022-12-16 um 17.40.33.png Bildschirmfoto 2022-12-16 um 17.41.36.png

    I have tried many different configs and solutions that I found in the forums here, however, nothing I do will produce the eicar test file being flagged as a virus and I can upload that file without it being blocked.

    The server running Pfsense is running on FreeBSD 12. Here are also all configs related to icap and clamav:

    squidclamav.txt
    freshclam.txt
    clamd.txt
    c-icap.txt
    c-icap_magic.txt

    Am I missing something? Based on the previous discussions, icap should be able to detect eicar test file out of the box, is this something on the WAF end, or a missconfig on the icap side? Any info/help is appreciated.

    Thanks in advance

    M 1 Reply Last reply Dec 16, 2022, 6:05 PM Reply Quote 0
    • M
      michmoor LAYER 8 Rebel Alliance @fran.rukavina
      last edited by Dec 16, 2022, 6:05 PM

      @fran-rukavina Is the EICAR test using TLS/SSL or are you using the plain text tests.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      F 1 Reply Last reply Dec 16, 2022, 6:15 PM Reply Quote 0
      • F
        fran.rukavina @michmoor
        last edited by Dec 16, 2022, 6:15 PM

        @michmoor I'm uploading a plain text file, I've just created one with the eicar string. The thing is that once its uploaded and on my exchange server, if I try to download the file, I will get the error message from pfsense that it's a virus, but by that point it's scanned by another service. I'm just using pfsense to check the upload.

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received