Squid and c-icap does not work PFsense 2.3

bienbuon

Hi everyone, i need help here with squid.
everything was working fine with squid and HAVP
Since i upgrade to 2.3 squid and C-iCAP doesnt work.

I don't know what i've done wrong but if i tick "Allow Users on Interface " in squid config then i cant access any thing, although squid and everything is running.
I tried to download test virus http://www.eicar.org/download/eicar.com.txt but it wont work as it was on HAVP in older version.
Also none of the ads blocked with squidgards

Please check my screen shots and give me your advice.
http://easycaptures.com/fs/uploaded/932/7681022914.png
http://easycaptures.com/fs/uploaded/932/0913961144.png
http://easycaptures.com/fs/uploaded/932/8972112036.png
http://easycaptures.com/fs/uploaded/932/8827296471.png
Thanks everyone

tohil

Hi,

same here.

I use squid in transparent mode. everything with default settings, but I can download the Eicar test file over HTTP.

Seems that this is not working correctly.

squid.conf

This file is automatically generated by pfSense

Do not edit manually !

http_port 192.168.5.1:3128
http_port 192.168.7.1:3128
http_port 127.0.0.1:3128 intercept
icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user squid
cache_effective_group proxy
error_default_language de
icon_directory /usr/local/etc/squid/icons
visible_hostname tohil1.pfsensefirewall.local
cache_mgr angelo@tohil.net
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable off
pinger_program /usr/local/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds

Allow local network(s) on interface(s)

acl localnet src 192.168.5.0/24 192.168.7.0/24
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 10443 3128 3129 1025-65535
acl sslports port 443 563 10443

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

Custom options before auth

Setup allowed ACLs

Allow local network(s) on interface(s)

http_access allow localnet

Default block all to be sure

http_access deny allsrc

icap_enable on
icap_send_client_ip on
icap_send_client_username off
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024

icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/squid_clamav bypass=off
adaptation_access service_avi_req allow all
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/squid_clamav bypass=on
adaptation_access service_avi_resp allow all

clamd.conf

#This file was automatically generated by pfSense WebGUI configuration

Please read the clamd.conf(5) manual before editing this file.

Uncomment this option to enable logging.

LogFile must be writable for the user running daemon.

A full path is required.

Default: disabled

LogFile /var/log/clamav/clamd.log

By default the log file is locked for writing - the lock protects against

running clamd multiple times (if want to run another clamd, please

copy the configuration file, change the LogFile variable, and run

the daemon with –config-file option).

This option disables log file locking.

Default: no

#LogFileUnlock yes

Maximum size of the log file.

Value of 0 disables the limit.

You may use 'M' or 'm' for megabytes (1M = 1m = 1048576 bytes)

and 'K' or 'k' for kilobytes (1K = 1k = 1024 bytes). To specify the size

in bytes just don't use modifiers. If LogFileMaxSize is enabled, log

rotation (the LogRotate option) will always be enabled.

Default: 1M

#LogFileMaxSize 2M

Log time with each message.

Default: no

#LogTime yes

Also log clean files. Useful in debugging but drastically increases the

log size.

Default: no

#LogClean yes

Use system logger (can work together with LogFile).

Default: no

#LogSyslog yes

Specify the type of syslog messages - please refer to 'man syslog'

for facility names.

Default: LOG_LOCAL6

#LogFacility LOG_MAIL

Enable verbose logging.

Default: no

#LogVerbose yes

Enable log rotation. Always enabled when LogFileMaxSize is enabled.

Default: no

#LogRotate yes

Log additional information about the infected file, such as its

size and hash, together with the virus name.

#ExtendedDetectionInfo yes

This option allows you to save a process identifier of the listening

daemon (main thread).

Default: disabled

PidFile /var/run/clamav/clamd.pid

Optional path to the global temporary directory.

Default: system specific (usually /tmp or /var/tmp).

#TemporaryDirectory /var/tmp

Path to the database directory.

Default: hardcoded (depends on installation options)

DatabaseDirectory /var/db/clamav

Only load the official signatures published by the ClamAV project.

Default: no

#OfficialDatabaseOnly no

The daemon can work in local mode, network mode or both.

Due to security reasons we recommend the local mode.

Path to a local socket file the daemon will listen on.

Default: disabled (must be specified by a user)

LocalSocket /var/run/clamav/clamd.sock

Sets the group ownership on the unix socket.

Default: disabled (the primary group of the user running clamd)

#LocalSocketGroup virusgroup

Sets the permissions on the unix socket to the specified mode.

Default: disabled (socket is world accessible)

#LocalSocketMode 660

Remove stale socket after unclean shutdown.

Default: yes

FixStaleSocket yes

TCP port address.

Default: no

#TCPSocket 3310

TCP address.

By default we bind to INADDR_ANY, probably not wise.

Enable the following to provide some degree of protection

from the outside world. This option can be specified multiple

times if you want to listen on multiple IPs. IPv6 is now supported.

Default: no

#TCPAddr 127.0.0.1

Maximum length the queue of pending connections may grow to.

Default: 200

#MaxConnectionQueueLength 30

Clamd uses FTP-like protocol to receive data from remote clients.

If you are using clamav-milter to balance load between remote clamd daemons

on firewall servers you may need to tune the options below.

Close the connection when the data size limit is exceeded.

The value should match your MTA's limit for a maximum attachment size.

Default: 25M

#StreamMaxLength 10M

Limit port range.

Default: 1024

#StreamMinPort 30000

Default: 2048

#StreamMaxPort 32000

Maximum number of threads running at the same time.

Default: 10

#MaxThreads 20

Waiting for data from a client socket will timeout after this time (seconds).

Default: 120

#ReadTimeout 300

This option specifies the time (in seconds) after which clamd should

timeout if a client doesn't provide any initial command after connecting.

Default: 5

#CommandReadTimeout 5

This option specifies how long to wait (in miliseconds) if the send buffer is full.

Keep this value low to prevent clamd hanging

Default: 500

#SendBufTimeout 200

Maximum number of queued items (including those being processed by MaxThreads threads)

It is recommended to have this value at least twice MaxThreads if possible.

WARNING: you shouldn't increase this too much to avoid running out of file descriptors,

the following condition should hold:

MaxThreads*MaxRecursion + (MaxQueue - MaxThreads) + 6< RLIMIT_NOFILE (usual max is 1024)

Default: 100

#MaxQueue 200

Waiting for a new job will timeout after this time (seconds).

Default: 30

#IdleTimeout 60

Don't scan files and directories matching regex

This directive can be used multiple times

Default: scan all

#ExcludePath ^/proc/
#ExcludePath ^/sys/

Maximum depth directories are scanned at.

Default: 15

#MaxDirectoryRecursion 20

Follow directory symlinks.

Default: no

#FollowDirectorySymlinks yes

Follow regular file symlinks.

Default: no

#FollowFileSymlinks yes

Scan files and directories on other filesystems.

Default: yes

#CrossFilesystems yes

Perform a database check.

Default: 600 (10 min)

#SelfCheck 600

Execute a command when virus is found. In the command string %v will

be replaced with the virus name.

Default: no

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

Run as another user (clamd must be started by root for this option to work)

Default: don't drop privileges

User clamav

Initialize supplementary group access (clamd must be started by root).

Default: no

AllowSupplementaryGroups yes

Stop daemon when libclamav reports out of memory condition.

#ExitOnOOM yes

Don't fork into background.

Default: no

#Foreground yes

Enable debug messages in libclamav.

Default: no

#Debug yes

Do not remove temporary files (for debug purposes).

Default: no

#LeaveTemporaryFiles yes

Permit use of the ALLMATCHSCAN command. If set to no, clamd will reject

any ALLMATCHSCAN command as invalid.

Default: yes

#AllowAllMatchScan no

Detect Possibly Unwanted Applications.

Default: no

#DetectPUA yes

Exclude a specific PUA category. This directive can be used multiple times.

See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for

the complete list of PUA categories.

Default: Load all categories (if DetectPUA is activated)

#ExcludePUA NetTool
#ExcludePUA PWTool

Only include a specific PUA category. This directive can be used multiple

times.

Default: Load all categories (if DetectPUA is activated)

#IncludePUA Spy
#IncludePUA Scanner
#IncludePUA RAT

In some cases (eg. complex malware, exploits in graphic files, and others),

ClamAV uses special algorithms to provide accurate detection. This option

controls the algorithmic detection.

Default: yes

#AlgorithmicDetection yes

This option causes memory or nested map scans to dump the content to disk.

If you turn on this option, more data is written to disk and is available

when the LeaveTemporaryFiles option is enabled.

#ForceToDisk yes

This option allows you to disable the caching feature of the engine. By

default, the engine will store an MD5 in a cache of any files that are

not flagged as virus or that hit limits checks. Disabling the cache will

have a negative performance impact on large scans.

Default: no

#DisableCache yes

Executable files

PE stands for Portable Executable - it's an executable file format used

in all 32 and 64-bit versions of Windows operating systems. This option allows

ClamAV to perform a deeper analysis of executable files and it's also

required for decompression of popular executable packers such as UPX, FSG,

and Petite. If you turn off this option, the original files will still be

scanned, but without additional processing.

Default: yes

#ScanPE yes

Certain PE files contain an authenticode signature. By default, we check

the signature chain in the PE file against a database of trusted and

revoked certificates if the file being scanned is marked as a virus.

If any certificate in the chain validates against any trusted root, but

does not match any revoked certificate, the file is marked as whitelisted.

If the file does match a revoked certificate, the file is marked as virus.

The following setting completely turns off authenticode verification.

Default: no

#DisableCertCheck yes

Executable and Linking Format is a standard format for UN*X executables.

This option allows you to control the scanning of ELF files.

If you turn off this option, the original files will still be scanned, but

without additional processing.

Default: yes

#ScanELF yes

With this option clamav will try to detect broken executables (both PE and

ELF) and mark them as Broken.Executable.

Default: no

#DetectBrokenExecutables yes

Documents

This option enables scanning of OLE2 files, such as Microsoft Office

documents and .msi files.

If you turn off this option, the original files will still be scanned, but

without additional processing.

Default: yes

#ScanOLE2 yes

With this option enabled OLE2 files with VBA macros, which were not

detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".

Default: no

#OLE2BlockMacros no

This option enables scanning within PDF files.

If you turn off this option, the original files will still be scanned, but

without decoding and additional processing.

Default: yes

#ScanPDF yes

This option enables scanning within SWF files.

If you turn off this option, the original files will still be scanned, but

without decoding and additional processing.

Default: yes

#ScanSWF yes

This option enables scanning xml-based document files supported by libclamav.

If you turn off this option, the original files will still be scanned, but

without additional processing.

Default: yes

#ScanXMLDOCS yes

This option enables scanning of HWP3 files.

If you turn off this option, the original files will still be scanned, but

without additional processing.

Default: yes

#ScanHWP3 yes

Mail files

Enable internal e-mail scanner.

If you turn off this option, the original files will still be scanned, but

without parsing individual messages/attachments.

Default: yes

ScanMail yes

Scan RFC1341 messages split over many emails.

You will need to periodically clean up $TemporaryDirectory/clamav-partial directory.

WARNING: This option may open your system to a DoS attack.

Never use it on loaded servers.

Default: no

#ScanPartialMessages yes

With this option enabled ClamAV will try to detect phishing attempts by using

signatures.

Default: yes

#PhishingSignatures yes

Scan URLs found in mails for phishing attempts using heuristics.

Default: yes

#PhishingScanURLs yes

Always block SSL mismatches in URLs, even if the URL isn't in the database.

This can lead to false positives.

Default: no

#PhishingAlwaysBlockSSLMismatch no

Always block cloaked URLs, even if URL isn't in database.

This can lead to false positives.

Default: no

#PhishingAlwaysBlockCloak no

Detect partition intersections in raw disk images using heuristics.

Default: no

#PartitionIntersection no

Allow heuristic match to take precedence.

When enabled, if a heuristic scan (such as phishingScan) detects

a possible virus/phish it will stop scan immediately. Recommended, saves CPU

scan-time.

When disabled, virus/phish detected by heuristic scans will be reported only at

the end of a scan. If an archive contains both a heuristically detected

virus/phish, and a real malware, the real malware will be reported

Keep this disabled if you intend to handle ".Heuristics." viruses

differently from "real" malware.

If a non-heuristically-detected virus (signature-based) is found first,

the scan is interrupted immediately, regardless of this config option.

Default: no

#HeuristicScanPrecedence yes

Data Loss Prevention (DLP)

Enable the DLP module

Default: No

#StructuredDataDetection yes

This option sets the lowest number of Credit Card numbers found in a file

to generate a detect.

Default: 3

#StructuredMinCreditCardCount 5

This option sets the lowest number of Social Security Numbers found

in a file to generate a detect.

Default: 3

#StructuredMinSSNCount 5

With this option enabled the DLP module will search for valid

SSNs formatted as xxx-yy-zzzz

Default: yes

#StructuredSSNFormatNormal yes

With this option enabled the DLP module will search for valid

SSNs formatted as xxxyyzzzz

Default: no

#StructuredSSNFormatStripped yes

HTML

Perform HTML normalisation and decryption of MS Script Encoder code.

Default: yes

If you turn off this option, the original files will still be scanned, but

without additional processing.

#ScanHTML yes

ClamAV can scan within archives and compressed files.

If you turn off this option, the original files will still be scanned, but

without unpacking and additional processing.

Default: yes

#ScanArchive yes

Mark encrypted archives as viruses (Encrypted.Zip, Encrypted.RAR).

Default: no

#ArchiveBlockEncrypted no

Limits

The options below protect your system against Denial of Service attacks

using archive bombs.

This option sets the maximum amount of data to be scanned for each input file.

Archives and other containers are recursively extracted and scanned up to this

value.

Value of 0 disables the limit

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 100M

#MaxScanSize 150M

Files larger than this limit won't be scanned. Affects the input file itself

as well as files contained inside it (when the input file is an archive, a

document or some other kind of container).

Value of 0 disables the limit.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 25M

#MaxFileSize 30M

Nested archives are scanned recursively, e.g. if a Zip archive contains a RAR

file, all files within it will also be scanned. This options specifies how

deeply the process should be continued.

Note: setting this limit too high may result in severe damage to the system.

Default: 16

#MaxRecursion 10

Number of files to be scanned within an archive, a document, or any other

container file.

Value of 0 disables the limit.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 10000

#MaxFiles 15000

Maximum size of a file to check for embedded PE. Files larger than this value

will skip the additional analysis step.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 10M

#MaxEmbeddedPE 10M

Maximum size of a HTML file to normalize. HTML files larger than this value

will not be normalized or scanned.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 10M

#MaxHTMLNormalize 10M

Maximum size of a normalized HTML file to scan. HTML files larger than this

value after normalization will not be scanned.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 2M

#MaxHTMLNoTags 2M

Maximum size of a script file to normalize. Script content larger than this

value will not be normalized or scanned.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 5M

#MaxScriptNormalize 5M

Maximum size of a ZIP file to reanalyze type recognition. ZIP files larger

than this value will skip the step to potentially reanalyze as PE.

Note: disabling this limit or setting it too high may result in severe damage

to the system.

Default: 1M

#MaxZipTypeRcg 1M

This option sets the maximum number of partitions of a raw disk image to be scanned.

Raw disk images with more partitions than this value will have up to the value number

partitions scanned. Negative values are not allowed.

Note: setting this limit too high may result in severe damage or impact performance.

Default: 50

#MaxPartitions 128

This option sets the maximum number of icons within a PE to be scanned.

PE files with more icons than this value will have up to the value number icons scanned.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 100

#MaxIconsPE 200

This option sets the maximum recursive calls for HWP3 parsing during scanning.

HWP3 files using more than this limit will be terminated and alert the user.

Scans will be unable to scan any HWP3 attachments if the recursive limit is reached.

Negative values are not allowed.

WARNING: setting this limit too high may result in severe damage or impact performance.

Default: 16

#MaxRecHWP3 16

This option sets the maximum calls to the PCRE match function during an instance of regex matching.

Instances using more than this limit will be terminated and alert the user but the scan will continue.

For more information on match_limit, see the PCRE documentation.

Negative values are not allowed.

WARNING: setting this limit too high may severely impact performance.

Default: 10000

#PCREMatchLimit 20000

This option sets the maximum recursive calls to the PCRE match function during an instance of regex matching.

Instances using more than this limit will be terminated and alert the user but the scan will continue.

For more information on match_limit_recursion, see the PCRE documentation.

Negative values are not allowed and values > PCREMatchLimit are superfluous.

WARNING: setting this limit too high may severely impact performance.

Default: 5000

#PCRERecMatchLimit 10000

This option sets the maximum filesize for which PCRE subsigs will be executed.

Files exceeding this limit will not have PCRE subsigs executed unless a subsig is encompassed to a smaller buffer.

Negative values are not allowed.

Setting this value to zero disables the limit.

WARNING: setting this limit too high or disabling it may severely impact performance.

Default: 25M

#PCREMaxFileSize 100M

On-access Scan Settings

Enable on-access scanning. Currently, this is supported via fanotify.

Clamuko/Dazuko support has been deprecated.

Default: no

#ScanOnAccess yes

Set the mount point to be scanned. The mount point specified, or the mount point

containing the specified directory will be watched. If any directories are specified,

this option will preempt the DDD system. This will notify only. It can be used multiple times.

(On-access scan only)

Default: disabled

#OnAccessMountPath /
#OnAccessMountPath /home/user

Don't scan files larger than OnAccessMaxFileSize

Value of 0 disables the limit.

Default: 5M

#OnAccessMaxFileSize 10M

Set the include paths (all files inside them will be scanned). You can have

multiple OnAccessIncludePath directives but each directory must be added

in a separate line. (On-access scan only)

Default: disabled

#OnAccessIncludePath /home
#OnAccessIncludePath /students

Set the exclude paths. All subdirectories are also excluded.

(On-access scan only)

Default: disabled

#OnAccessExcludePath /home/bofh

With this option you can whitelist specific UIDs. Processes with these UIDs

will be able to access all files.

This option can be used multiple times (one per line).

Default: disabled

#OnAccessExcludeUID 0

Toggles dynamic directory determination. Allows for recursively watching include paths.

(On-access scan only)

Default: no

#OnAccessDisableDDD yes

Modifies fanotify blocking behaviour when handling permission events.

If off, fanotify will only notify if the file scanned is a virus,

and not perform any blocking.

(On-access scan only)

Default: no

#OnAccessPrevention yes

Toggles extra scanning and notifications when a file or directory is created or moved.

Requires the DDD system to kick-off extra scans.

(On-access scan only)

Default: no

#OnAccessExtraScanning yes

Bytecode

With this option enabled ClamAV will load bytecode from the database.

It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.

Default: yes

#Bytecode yes

Set bytecode security level.

Possible values:

# None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
# This value is only available if clamav was built with --enable-debug!
# TrustSigned - trust bytecode loaded from signed .c[lv]d files,
# insert runtime safety checks for bytecode loaded from other sources
# Paranoid - don't trust any bytecode, insert runtime checks for all

Recommended: TrustSigned, because bytecode in .cvd files already has these checks