Squid3-dev v3.3.10 pkg 2.2.6,SSL MiM + Diladele = c-icap no file scanning



  • hi i have instaled pfsense v2.1.4 i386 with this packages:
    squid3-dev v3.3.10 pkg 2.2.6, working SSL man in the middle for filtering HTTPS
    snort 2.9.6.2 pkg v3.1.1
    pfblocker 1.0.2

    All working well (included eicar test http://www.eicar.org/85-0-Download.html  file scaning with c-icap) without instaled diladele ( http://docs.diladele.com/administrator_guide_3_4/installation_and_removal/install_on_freebsd.html).

    When i instal Diladele  ( http://docs.diladele.com/administrator_guide_3_4/installation_and_removal/install_on_freebsd.html and add 'always_direct allow all; ssl_bump server-first all' to squid config), then i can filter https, http but scaning downloaded file (for examle exe, zip, com, txt) with virus scanner not working.

    Can you pleas link me to some solution?

    Thx,

    Marian L.



  • ok, today i make some research and find how to chaining diladele and c-icap for filtering https and scaning downloaded files. I change /usr/pbi/squid-i386/etc/squid/squid.conf (problem is, i dont for now, how to make changes permanent:

    chanched in squid.conf (also changet listening port in antivirus settings in pfsense UI to 1345):

    
    # Custom options before auth
    always_direct allow all
    ssl_bump server-first all
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_header X-Client-Username
    icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav
    icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav
    icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
    acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
    acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
    adaptation_access qlproxy1 deny qlproxy_icap_edomains
    adaptation_access qlproxy2 deny qlproxy_icap_edomains
    adaptation_access qlproxy2 deny qlproxy_icap_etypes
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all
    adaptation_access service_req allow all
    adaptation_access service_resp allow all
    
    #icap_enable on
    #icap_send_client_ip on
    #icap_send_client_username on 
    #icap_client_username_encode off
    #icap_client_username_header X-Authenticated-User
    #icap_preview_enable on
    #icap_preview_size 1024
    
    # Always allow access to whitelist domains
    http_access allow whitelist
    acl sglog url_regex -i sgr=ACCESSDENIED
    http_access deny sglog
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc
    
    

    squid.conf after:

    
    # This file is automatically generated by pfSense
    # Do not edit manually !
    
    http_port 192.168.20.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/pbi/squid-i386/etc/squid/serverkey.pem capath=/usr/pbi/squid-i386/share/certs/
    
    icp_port 0
    dns_v4_first on
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language sk
    icon_directory /usr/pbi/squid-i386/etc/squid/icons
    visible_hostname localhost
    cache_mgr xxxxx@xxx.com
    access_log /var/squid/logs/access.log
    cache_log /var/squid/logs/cache.log
    cache_store_log none
    netdb_filename /var/squid/logs/netdb.state
    pinger_enable on
    pinger_program /usr/pbi/squid-i386/libexec/squid/pinger
    sslcrtd_program /usr/pbi/squid-i386/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048
    sslcrtd_children 5
    sslproxy_capath /usr/pbi/squid-i386/share/certs/
    
    logfile_rotate 90
    debug_options rotate=90
    shutdown_lifetime 3 seconds
    # Allow local network(s) on interface(s)
    acl localnet src  192.168.20.0/24
    httpd_suppress_version_string on
    uri_whitespace strip
    
    # Break HTTP standard for flash videos. Keep them in cache even if asked not to.
    refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
    
    # Let the clients favorite video site through with full caching
    acl youtube dstdomain .youtube.com
    cache allow youtube
    
    # Windows Update refresh_pattern
    range_offset_limit -1
    refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
    
    # Symantec refresh_pattern
    range_offset_limit -1
    refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
    refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
    
    cache_mem 256 MB
    maximum_object_size_in_memory 512 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir aufs /var/squid/cache 100 32 256
    minimum_object_size 0 KB
    maximum_object_size 10485760 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all
    
    # Add any of your own refresh_pattern entries above these.
    refresh_pattern ^ftp:    1440  20%  10080
    refresh_pattern ^gopher:  1440  0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
    refresh_pattern .    0  20%  4320
    
    # No redirector configured
    
    #Remote proxies
    
    # Setup some default acls
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    # acl localhost src 127.0.0.1/32
    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901  3128 3127 1025-65535 
    acl sslports port 443 563  
    
    # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
    #acl manager proto cache_object
    
    acl purge method PURGE
    acl connect method CONNECT
    
    # Define protocols used for redirects
    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    acl allowed_subnets src 192.168.20.0/24
    acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
    http_access allow manager localhost
    
    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports
    
    # Always allow localhost connections
    # From 3.2 further configuration cleanups have been done to make things easier and safer. 
    # The manager, localhost, and to_localhost ACL definitions are now built-in.
    # http_access allow localhost
    
    quick_abort_min -1 KB
    quick_abort_max 0 KB
    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc
    
    # Reverse Proxy settings
    
    always_direct allow whitelist
    ssl_bump none whitelist
    
    # Custom options before auth
    always_direct allow all
    ssl_bump server-first all
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_header X-Client-Username
    icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav
    icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1345/squidclamav
    icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
    acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
    acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
    adaptation_access qlproxy1 deny qlproxy_icap_edomains
    adaptation_access qlproxy2 deny qlproxy_icap_edomains
    adaptation_access qlproxy2 deny qlproxy_icap_etypes
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all
    adaptation_access service_req allow all
    adaptation_access service_resp allow all
    
    #icap_enable on
    #icap_send_client_ip on
    #icap_send_client_username on 
    #icap_client_username_encode off
    #icap_client_username_header X-Authenticated-User
    #icap_preview_enable on
    #icap_preview_size 1024
    
    # Always allow access to whitelist domains
    http_access allow whitelist
    acl sglog url_regex -i sgr=ACCESSDENIED
    http_access deny sglog
    # Setup allowed acls
    # Allow local network(s) on interface(s)
    http_access allow allowed_subnets
    http_access allow localnet
    # Default block all to be sure
    http_access deny allsrc
    
    

    and some settings in clamd.conf (enable archive scanning and executable). I dont know if this help for scaning files, but i made it….

    
    ##
    ## Example config file for the Clam AV daemon
    ## Please read the clamd.conf(5) manual before editing this file.
    ##
    
    # Comment or remove the line below.
    #Example
    
    # Uncomment this option to enable logging.
    # LogFile must be writable for the user running daemon.
    # A full path is required.
    # Default: disabled
    LogFile /var/log/clamav/clamd.log
    
    # By default the log file is locked for writing - the lock protects against
    # running clamd multiple times (if want to run another clamd, please
    # copy the configuration file, change the LogFile variable, and run
    # the daemon with --config-file option).
    # This option disables log file locking.
    # Default: no
    #LogFileUnlock yes
    
    # Maximum size of the log file.
    # Value of 0 disables the limit.
    # You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)
    # and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size
    # in bytes just don't use modifiers. If LogFileMaxSize is enabled, log
    # rotation (the LogRotate option) will always be enabled.
    # Default: 1M
    LogFileMaxSize 2M
    
    # Log time with each message.
    # Default: no
    LogTime yes
    
    # Also log clean files. Useful in debugging but drastically increases the
    # log size.
    # Default: no
    #LogClean yes
    
    # Use system logger (can work together with LogFile).
    # Default: no
    LogSyslog yes
    
    # Specify the type of syslog messages - please refer to 'man syslog'
    # for facility names.
    # Default: LOG_LOCAL6
    #LogFacility LOG_MAIL
    
    # Enable verbose logging.
    # Default: no
    #LogVerbose yes
    
    # Enable log rotation. Always enabled when LogFileMaxSize is enabled.
    # Default: no
    LogRotate yes
    
    # Log additional information about the infected file, such as its
    # size and hash, together with the virus name.
    ExtendedDetectionInfo yes
    
    # This option allows you to save a process identifier of the listening
    # daemon (main thread).
    # Default: disabled
    PidFile /var/run/clamav/clamd.pid
    
    # Optional path to the global temporary directory.
    # Default: system specific (usually /tmp or /var/tmp).
    #TemporaryDirectory /var/tmp
    
    # Path to the database directory.
    # Default: hardcoded (depends on installation options)
    DatabaseDirectory /var/db/clamav
    
    # Only load the official signatures published by the ClamAV project.
    # Default: no
    #OfficialDatabaseOnly no
    
    # The daemon can work in local mode, network mode or both. 
    # Due to security reasons we recommend the local mode.
    
    # Path to a local socket file the daemon will listen on.
    # Default: disabled (must be specified by a user)
    LocalSocket /var/run/clamav/clamd.sock
    
    # Sets the group ownership on the unix socket.
    # Default: disabled (the primary group of the user running clamd)
    #LocalSocketGroup virusgroup
    
    # Sets the permissions on the unix socket to the specified mode.
    # Default: disabled (socket is world accessible)
    #LocalSocketMode 660
    
    # Remove stale socket after unclean shutdown.
    # Default: yes
    FixStaleSocket yes
    
    # TCP port address.
    # Default: no
    #TCPSocket 3310
    
    # TCP address.
    # By default we bind to INADDR_ANY, probably not wise.
    # Enable the following to provide some degree of protection
    # from the outside world.
    # Default: no
    #TCPAddr 127.0.0.1
    
    # Maximum length the queue of pending connections may grow to.
    # Default: 200
    #MaxConnectionQueueLength 30
    
    # Clamd uses FTP-like protocol to receive data from remote clients.
    # If you are using clamav-milter to balance load between remote clamd daemons
    # on firewall servers you may need to tune the options below.
    
    # Close the connection when the data size limit is exceeded.
    # The value should match your MTA's limit for a maximum attachment size.
    # Default: 25M
    #StreamMaxLength 10M
    
    # Limit port range.
    # Default: 1024
    #StreamMinPort 30000
    # Default: 2048
    #StreamMaxPort 32000
    
    # Maximum number of threads running at the same time.
    # Default: 10
    MaxThreads 20
    
    # Waiting for data from a client socket will timeout after this time (seconds).
    # Default: 120
    #ReadTimeout 300
    
    # This option specifies the time (in seconds) after which clamd should
    # timeout if a client doesn't provide any initial command after connecting.
    # Default: 5
    #CommandReadTimeout 5
    
    # This option specifies how long to wait (in miliseconds) if the send buffer is full.
    # Keep this value low to prevent clamd hanging
    #
    # Default: 500
    #SendBufTimeout 200
    
    # Maximum number of queued items (including those being processed by MaxThreads threads)
    # It is recommended to have this value at least twice MaxThreads if possible.
    # WARNING: you shouldn't increase this too much to avoid running out  of file descriptors,
    # the following condition should hold:
    # MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)
    #
    # Default: 100
    #MaxQueue 200
    
    # Waiting for a new job will timeout after this time (seconds).
    # Default: 30
    #IdleTimeout 60
    
    # Don't scan files and directories matching regex
    # This directive can be used multiple times
    # Default: scan all
    #ExcludePath ^/proc/
    #ExcludePath ^/sys/
    
    # Maximum depth directories are scanned at.
    # Default: 15
    MaxDirectoryRecursion 15
    
    # Follow directory symlinks.
    # Default: no
    #FollowDirectorySymlinks yes
    
    # Follow regular file symlinks.
    # Default: no
    #FollowFileSymlinks yes
    
    # Scan files and directories on other filesystems.
    # Default: yes
    #CrossFilesystems yes
    
    # Perform a database check.
    # Default: 600 (10 min)
    #SelfCheck 600
    
    # Execute a command when virus is found. In the command string %v will
    # be replaced with the virus name.
    # Default: no
    #VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
    
    # Run as another user (clamd must be started by root for this option to work)
    # Default: don't drop privileges
    User clamav
    
    # Initialize supplementary group access (clamd must be started by root).
    # Default: no
    AllowSupplementaryGroups yes
    
    # Stop daemon when libclamav reports out of memory condition.
    #ExitOnOOM yes
    
    # Don't fork into background.
    # Default: no
    #Foreground yes
    
    # Enable debug messages in libclamav.
    # Default: no
    #Debug yes
    
    # Do not remove temporary files (for debug purposes).
    # Default: no
    #LeaveTemporaryFiles yes
    
    # Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject
    # any ALLMATCHSCAN command as invalid.
    # Default: yes
    #AllowAllMatchScan no
    
    # Detect Possibly Unwanted Applications.
    # Default: no
    DetectPUA yes
    
    # Exclude a specific PUA category. This directive can be used multiple times.
    # See http://www.clamav.net/support/pua for the complete list of PUA
    # categories.
    # Default: Load all categories (if DetectPUA is activated)
    #ExcludePUA NetTool
    #ExcludePUA PWTool
    
    # Only include a specific PUA category. This directive can be used multiple
    # times.
    # Default: Load all categories (if DetectPUA is activated)
    #IncludePUA Spy
    #IncludePUA Scanner
    #IncludePUA RAT
    
    # In some cases (eg. complex malware, exploits in graphic files, and others),
    # ClamAV uses special algorithms to provide accurate detection. This option
    # controls the algorithmic detection.
    # Default: yes
    AlgorithmicDetection yes
    
    ##
    ## Executable files
    ##
    
    # PE stands for Portable Executable - it's an executable file format used
    # in all 32 and 64-bit versions of Windows operating systems. This option allows
    # ClamAV to perform a deeper analysis of executable files and it's also
    # required for decompression of popular executable packers such as UPX, FSG,
    # and Petite. If you turn off this option, the original files will still be
    # scanned, but without additional processing.
    # Default: yes
    ScanPE yes
    
    # Certain PE files contain an authenticode signature. By default, we check
    # the signature chain in the PE file against a database of trusted and
    # revoked certificates if the file being scanned is marked as a virus.
    # If any certificate in the chain validates against any trusted root, but
    # does not match any revoked certificate, the file is marked as whitelisted.
    # If the file does match a revoked certificate, the file is marked as virus.
    # The following setting completely turns off authenticode verification.
    # Default: no
    #DisableCertCheck yes
    
    # Executable and Linking Format is a standard format for UN*X executables.
    # This option allows you to control the scanning of ELF files.
    # If you turn off this option, the original files will still be scanned, but
    # without additional processing.
    # Default: yes
    #ScanELF yes
    
    # With this option clamav will try to detect broken executables (both PE and
    # ELF) and mark them as Broken.Executable.
    # Default: no
    #DetectBrokenExecutables yes
    
    ##
    ## Documents
    ##
    
    # This option enables scanning of OLE2 files, such as Microsoft Office
    # documents and .msi files.
    # If you turn off this option, the original files will still be scanned, but
    # without additional processing.
    # Default: yes
    ScanOLE2 yes
    
    # With this option enabled OLE2 files with VBA macros, which were not
    # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
    # Default: no
    #OLE2BlockMacros no
    
    # This option enables scanning within PDF files.
    # If you turn off this option, the original files will still be scanned, but
    # without decoding and additional processing.
    # Default: yes
    ScanPDF yes
    
    # This option enables scanning within SWF files.
    # If you turn off this option, the original files will still be scanned, but
    # without decoding and additional processing.
    # Default: yes
    ScanSWF yes
    
    ##
    ## Mail files
    ##
    
    # Enable internal e-mail scanner.
    # If you turn off this option, the original files will still be scanned, but
    # without parsing individual messages/attachments.
    # Default: yes
    ScanMail yes
    
    # Scan RFC1341 messages split over many emails.
    # You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.
    # WARNING: This option may open your system to a DoS attack.
    #	   Never use it on loaded servers.
    # Default: no
    ScanPartialMessages yes
    
    # With this option enabled ClamAV will try to detect phishing attempts by using
    # signatures.
    # Default: yes
    PhishingSignatures yes
    
    # Scan URLs found in mails for phishing attempts using heuristics.
    # Default: yes
    PhishingScanURLs yes
    
    # Always block SSL mismatches in URLs, even if the URL isn't in the database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockSSLMismatch no
    
    # Always block cloaked URLs, even if URL isn't in database.
    # This can lead to false positives.
    #
    # Default: no
    #PhishingAlwaysBlockCloak no
    
    # Allow heuristic match to take precedence.
    # When enabled, if a heuristic scan (such as phishingScan) detects
    # a possible virus/phish it will stop scan immediately. Recommended, saves CPU
    # scan-time.
    # When disabled, virus/phish detected by heuristic scans will be reported only at
    # the end of a scan. If an archive contains both a heuristically detected
    # virus/phish, and a real malware, the real malware will be reported
    #
    # Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
    # differently from "real" malware.
    # If a non-heuristically-detected virus (signature-based) is found first, 
    # the scan is interrupted immediately, regardless of this config option.
    #
    # Default: no
    #HeuristicScanPrecedence yes
    
    ##
    ## Data Loss Prevention (DLP)
    ##
    
    # Enable the DLP module
    # Default: No
    #StructuredDataDetection yes
    
    # This option sets the lowest number of Credit Card numbers found in a file
    # to generate a detect.
    # Default: 3
    #StructuredMinCreditCardCount 5
    
    # This option sets the lowest number of Social Security Numbers found
    # in a file to generate a detect.
    # Default: 3
    #StructuredMinSSNCount 5
    
    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxx-yy-zzzz
    # Default: yes
    #StructuredSSNFormatNormal yes
    
    # With this option enabled the DLP module will search for valid
    # SSNs formatted as xxxyyzzzz
    # Default: no
    #StructuredSSNFormatStripped yes
    
    ##
    ## HTML
    ##
    
    # Perform HTML normalisation and decryption of MS Script Encoder code.
    # Default: yes
    # If you turn off this option, the original files will still be scanned, but
    # without additional processing.
    ScanHTML yes
    
    ##
    ## Archives
    ##
    
    # ClamAV can scan within archives and compressed files.
    # If you turn off this option, the original files will still be scanned, but
    # without unpacking and additional processing.
    # Default: yes
    ScanArchive yes
    
    # Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).
    # Default: no
    ArchiveBlockEncrypted no
    
    ##
    ## Limits
    ##
    
    # The options below protect your system against Denial of Service attacks
    # using archive bombs.
    
    # This option sets the maximum amount of data to be scanned for each input file.
    # Archives and other containers are recursively extracted and scanned up to this
    # value.
    # Value of 0 disables the limit
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 100M
    MaxScanSize 150M
    
    # Files larger than this limit won't be scanned. Affects the input file itself
    # as well as files contained inside it (when the input file is an archive, a
    # document or some other kind of container).
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 25M
    MaxFileSize 30M
    
    # Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR
    # file, all files within it will also be scanned. This options specifies how
    # deeply the process should be continued.
    # Note: setting this limit too high may result in severe damage to the system.
    # Default: 16
    MaxRecursion 10
    
    # Number of files to be scanned within an archive, a document, or any other
    # container file.
    # Value of 0 disables the limit.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 10000
    MaxFiles 15000
    
    # Maximum size of a file to check for embedded PE. Files larger than this value
    # will skip the additional analysis step.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 10M
    MaxEmbeddedPE 10M
    
    # Maximum size of a HTML file to normalize. HTML files larger than this value
    # will not be normalized or scanned.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 10M
    MaxHTMLNormalize 10M
    
    # Maximum size of a normalized HTML file to scan. HTML files larger than this
    # value after normalization will not be scanned.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 2M
    MaxHTMLNoTags 2M
    
    # Maximum size of a script file to normalize. Script content larger than this
    # value will not be normalized or scanned.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 5M
    MaxScriptNormalize 5M
    
    # Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger
    # than this value will skip the step to potentially reanalyze as PE.
    # Note: disabling this limit or setting it too high may result in severe damage
    # to the system.
    # Default: 1M
    MaxZipTypeRcg 1M
    
    ##
    ## Clamuko settings
    ##
    
    # Enable Clamuko. Dazuko must be configured and running. Clamuko supports
    # both Dazuko (/dev/dazuko) and DazukoFS (/dev/dazukofs.ctrl). DazukoFS
    # is the preferred option. For more information please visit www.dazuko.org
    # Default: no
    #ClamukoScanOnAccess yes
    
    # The number of scanner threads that will be started (DazukoFS only).
    # Having multiple scanner threads allows Clamuko to serve multiple
    # processes simultaneously. This is particularly beneficial on SMP machines.
    # Default: 3
    #ClamukoScannerCount 3
    
    # Don't scan files larger than ClamukoMaxFileSize
    # Value of 0 disables the limit.
    # Default: 5M
    #ClamukoMaxFileSize 10M
    
    # Set access mask for Clamuko (Dazuko only).
    # Default: no
    #ClamukoScanOnOpen yes
    #ClamukoScanOnClose yes
    #ClamukoScanOnExec yes
    
    # Set the include paths (all files inside them will be scanned). You can have
    # multiple ClamukoIncludePath directives but each directory must be added
    # in a seperate line. (Dazuko only)
    # Default: disabled
    #ClamukoIncludePath /home
    #ClamukoIncludePath /students
    
    # Set the exclude paths. All subdirectories are also excluded. (Dazuko only)
    # Default: disabled
    #ClamukoExcludePath /home/bofh
    
    # With this option you can whitelist specific UIDs. Processes with these UIDs
    # will be able to access all files.
    # This option can be used multiple times (one per line).
    # Default: disabled
    #ClamukoExcludeUID 0
    
    # With this option enabled ClamAV will load bytecode from the database. 
    # It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.
    # Default: yes
    #Bytecode yes
    
    # Set bytecode security level.
    # Possible values:
    #       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
    #         This value is only available if clamav was built with --enable-debug!
    #       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
    #                insert runtime safety checks for bytecode loaded from other sources
    #       Paranoid - don't trust any bytecode, insert runtime checks for all
    # Recommended: TrustSigned, because bytecode in .cvd files already has these checks
    # Note that by default only signed bytecode is loaded, currently you can only
    # load unsigned bytecode in --enable-debug mode.
    #
    # Default: TrustSigned
    #BytecodeSecurity TrustSigned
    
    # Set bytecode timeout in miliseconds.
    # 
    # Default: 5000
    # BytecodeTimeout 1000
    
    


  • huh, reply to myself  :P …..

    ok, permanent changes can make via pfsense UI.

    1. set listening port "Antivirus" in "c-icap.conf" to "Port 1345"

    2. set this in Custom ACLS (Before_Auth), with help of Diladele support:

    
    always_direct allow all
    ssl_bump server-first all
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_client_username_header X-Client-Username
    
    icap_service qlproxy1 reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache routing=0 bypass=0 icap://127.0.0.1:1344/respmod
    
    icap_service service_req reqmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav
    icap_service service_resp respmod_precache routing=0 bypass=0 icap://127.0.0.1:1345/squidclamav
    
    acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf"
    acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf"
    
    adaptation_service_chain chain1 qlproxy1 service_req
    adaptation_access chain1 deny qlproxy_icap_edomains
    adaptation_access chain1 allow all
    
    adaptation_service_chain chain2 qlproxy2 service_resp
    adaptation_access chain2 deny qlproxy_icap_edomains
    adaptation_access chain2 deny qlproxy_icap_etypes
    
    adaptation_access chain2 allow all
    
    

    but after save and restart squid service, in squid.conf remain this on end of file (always, because is autogenerated and i dont know where is template for generatin to delete these lines):

    
    icap_enable on
    icap_send_client_ip on
    icap_send_client_username on 
    icap_client_username_encode off
    icap_client_username_header X-Authenticated-User
    icap_preview_enable on
    icap_preview_size 1024
    
    icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
    icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
    
    adaptation_access service_req allow all
    adaptation_access service_resp allow all
    
    

    Can you pleas verify my settings and tune it? Thx.