Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Icap server not scanning eicar files correctly

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fran.rukavina
      last edited by

      Hi all,

      I have an issue with icap scanning an eicar file and not flagging it as a virus. The infrastructure is this. I have a WAF that sends a request to icap to scan a file when I upload it. In the WAF i have configured to send requests to icap://<SERVER_IP>:1344/squid_clamav . Icap is installed on Pfsense community 2.6, I've installed the squid package from the Package Manager UI and I pretty much use the default configuration.

      In the squid web UI, I have enabled Squid Antivirus check using clamav, and in the squid.conf I can see that icap is enabled: Bildschirmfoto 2022-12-16 um 17.37.47.png

      In the c-icap.conf I've setup debuglevel : 3 and in the logs I only get things like the following :

      Bildschirmfoto 2022-12-16 um 17.40.33.png Bildschirmfoto 2022-12-16 um 17.41.36.png

      I have tried many different configs and solutions that I found in the forums here, however, nothing I do will produce the eicar test file being flagged as a virus and I can upload that file without it being blocked.

      The server running Pfsense is running on FreeBSD 12. Here are also all configs related to icap and clamav:

      squidclamav.txt
      freshclam.txt
      clamd.txt
      c-icap.txt
      c-icap_magic.txt

      Am I missing something? Based on the previous discussions, icap should be able to detect eicar test file out of the box, is this something on the WAF end, or a missconfig on the icap side? Any info/help is appreciated.

      Thanks in advance

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @fran.rukavina
        last edited by

        @fran-rukavina Is the EICAR test using TLS/SSL or are you using the plain text tests.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        F 1 Reply Last reply Reply Quote 0
        • F
          fran.rukavina @michmoor
          last edited by

          @michmoor I'm uploading a plain text file, I've just created one with the eicar string. The thing is that once its uploaded and on my exchange server, if I try to download the file, I will get the error message from pfsense that it's a virus, but by that point it's scanned by another service. I'm just using pfsense to check the upload.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.