Netgate SG-1000 microFirewall

Author Topic: Squid ClamAV Not Reporting Virus'  (Read 9165 times)

0 Members and 1 Guest are viewing this topic.

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Squid ClamAV Not Reporting Virus'
« on: August 18, 2016, 08:15:19 pm »
Hello all...

I have a full install of pfSense 2.3.2-RELEASE (amd64).  I have installed Squid from the Package Manager specifically to use the ClamAV antivirus.  I believe I have everything enabled to include the Squid Proxy.  As well, I'm able to update the virus definitions with no issues. 

Squid Version      3.5.19_1
Antivirus       ClamAV 0.99.2    C-ICAP 0.4.3
Scanner  SquidClamav 6.10

The following services are all running:
c-icap    ICAP Inteface for Squid and ClamAV integration
clamd    ClamAV Antivirus
squid    Squid Proxy Server Service

When I go to download an eicar virus test file, I'm able to download the file with no virus message displaying.  I thought SquidClamAV would show some kind of virus detected message and that the file cannot be downloaded. 

Would anyone happen to know what I might be doing incorrectly?  Any suggestions would be helpful.

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #1 on: August 18, 2016, 11:14:03 pm »
It should be blocking the http EICAR files, if not something is not right. It wont block the https files unless you have MITM set up.
_________________________

Release: pfSense 2.3.4

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #2 on: August 19, 2016, 09:36:25 am »
I'm able to download the eicar file(s) from http without receiving any virus messages.  I wanted to get the http resolved before I try to configure the https.

I'm trying to figure out what is configured incorrectly.  Anyone have any ideas?

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #3 on: August 19, 2016, 11:07:55 am »
Post screenshots of your Antivirus settings panel. I'm no IT pro but I have it working and I'll see if I can help..
_________________________

Release: pfSense 2.3.4

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #4 on: August 19, 2016, 08:39:07 pm »
I'm back on my old enterprise network equipment until I can get this figured out. 

When I was initially testing the ClamAV antivirus with the http eicar virus test files, I didn't have my internet browser configured to use the proxy and I was able to download the files.

When I configured my browser to use the proxy, I could see the traffic come across the proxy in real time.  The Firefox settings I used for the proxy are:
HTTP Proxy:  192.168.1.1          Port:  3128
I also configured the proxy for null caching as I'm not that interested in keeping any data in cache and configured Firefox not to keep any cache as well.

After configuring my browser to use the proxy, I tried to download the http eicar virus test files and an error page appeared for all 4 of the files.  I can't remember the type of error page off the top of my head.  I didn't even get to a download prompt for any of the files.  Interestingly enough, the proxy real time network traffic didn't show the files as being infected as that part of the page was blank.  I didn't choose a redirect page for infected files so I thought I would get a default virus page and didn't.

Since I'm back on my old equipment for the time being, I won't have any pics to post.  Thanks for the help though.

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #5 on: August 19, 2016, 10:01:13 pm »
Sounds like it was working. Here are my settings on the Antivirus tab FYI:

Enable
Do Not Send
Disabled
(blank)
Unchecked
Checked
Every 6 hours
United States
(blank)

My C-ICAP - Virus Logs are currently showing 18 Virus blocked.


People here recommend to set up Squid via the WPAD method and setting the clients to auto discovery, thats how I have done it as well.
_________________________

Release: pfSense 2.3.4

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #6 on: August 20, 2016, 08:37:01 am »
Looking at the Antivirus tab shows my setup pretty much the same as yours.

I've now setup the SSL Man In the Middle Filtering for https scanning.  It gives me the same error page for the 4 files as the http page does.  By the way, that error page is:

Server not found

Firefox canít find the server at xyz.

Check the address for typing errors such as ww.example.com instead of www.example.com
If you are unable to load any pages, check your computerís network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

I've left the Redirect URL field empty as it states:  Leave empty to use the default Squid/pfSense WebGUI URL.
As you can tell by the above error message that I'm not getting a default URL, unless of course that is the default URL.  I was looking for something more along the lines of a red background with some kind of text that says you tried to download a virus infected file, the file's name, the IP and URL of the file, etc; something to that effect.

My C-ICAP Virus Table | C-ICAP - Virus Logs are blank/empty, no messages at all.  It would seem that I would have some entries such as what yours shows.  That seems a little odd to me that it's blank.

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #7 on: August 21, 2016, 09:13:53 am »
If you enter the Block page manually does it work?

http://yourpfsenseaddress/squid_clwarn.php


Are you setting up your clients individually or using WPAD?




The block page should look like this attachment

_________________________

Release: pfSense 2.3.4

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #8 on: August 21, 2016, 10:11:59 am »
I did some searching yesterday and found the following posts:
https://www.reddit.com/r/PFSENSE/comments/4eavs0/squid3clamav_redirecting_to_the_wrong_warnphp_url/
https://www.reddit.com/r/PFSENSE/comments/3fcrhe/224_fresh_install_no_squidav/

I tried the 2 following redirect URLs with no luck:
http://pfsense/squid_clwarn.php
http://192.168.1.1/squid_clwarn.php
The block page you provided didn't come up for either.

I'm just going to set my clients to auto detect the proxy settings.  It seems the easiest.

I don't believe I've configured anything incorrectly.  Very odd.

Offline AR15USR

  • Full Member
  • ***
  • Posts: 266
  • Karma: +10/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #9 on: August 21, 2016, 10:49:16 am »
Sounds like you need to do a remove/reinstall of Squid/Squidguard to me. Something is not right.

Have Snort running? Its not blocking anything on your LAN is it?

You will need to configure WPAD for your clients to be able to auto detect btw..


Check out this thread for maybe more help:
https://forum.pfsense.org/index.php?topic=112335.0
_________________________

Release: pfSense 2.3.4

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #10 on: August 22, 2016, 06:55:01 pm »
Ok...I wiped my drive and installed a fresh pfSense 2.3.2-RELEASE (amd64).  I do not have Snort installed at  this time.  I installed Squid and setup with no issues.  I did notice this - in the General tab, if I don't enable the Transparent HTTP Proxy, I am able to download the http eicar virus test files.  If I enable the Transparent HTTP Proxy, I get the "Server not found" error page when trying to download the http eicar virus test files.  I've attached screenshots of the General, Local Cache, and Antivirus pages.  Maybe you can find something that I've completely missed.

I check the thread you posted.  The process seems quite involved; not that I can't do it.  It's a bit of work to get it to work correctly.

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #11 on: August 23, 2016, 06:02:37 pm »
Does anyone know who maintains the Squid/ClamAV package?  Maybe they could take a look and see if there is anything in my setup that is incorrect.  Or would anyone else know what could be wrong???  I'm just a newbie to pfSense trying to get this working correctly.  Any more ideas at all?

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #12 on: August 27, 2016, 11:48:52 am »
I'm finding out a little more about squid and clamav.

If you do a search on the following github site for "redirect", you'll find 2/3rds down the page, the 3rd match on my Firefox, information about URL redirection.  If you look in the cgi-bin directory as described, you can find the virus warning files:
https://github.com/darold/squidclamav

If you do a search in pfSense from Diagnostics | Command Prompt using the following command line text:  find / -name "clwarn.cgi" , you'll find the file is located here:  /usr/local/libexec/squidclamav/clwarn.cgi .  If you look in the /usr/local/libexec/squidclamav path, you can find all of the files that the github cgi-bin directory references.

Interestingly enough, when I went to pfSense, Services | Squid Proxy Server | Antivirus, and chose the following Redirect URL: 
http://192.168.1.1/cgi-bin/clwarn.cgi , the actual warning page appeared on the http eicar virus test file.  I thought my issue was fixed.  Nope, it's not.  For whatever reason, pfSense stopped using that url redirect after testing the http eicar test files a few more times to make sure it was going to work.  >:(

Offline ChungCN126

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
    • DKT Media
Re: Squid ClamAV Not Reporting Virus'
« Reply #13 on: August 29, 2016, 02:29:45 pm »
I'm finding out a little more about squid and clamav, too.
Are you setting up your clients individually or using WPAD?

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 35
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #14 on: August 29, 2016, 08:16:40 pm »
I'm setting up my clients individually for the https MITM; importing the CA into Firefox on each.  I'm then telling the browser to auto-detect the proxy settings.  Although I've read about it, I'm not really sure what WPAD is.

I'm just trying to find the correct URL redirect in order for squidclamav to use the built-in virus/malware warning page (/cgi-bin/clwarn.cgi.en_EN).  I've tried everything that I can find in my searches with no luck.