Netgate SG-1000 microFirewall

Author Topic: Squid ClamAV Not Reporting Virus'  (Read 10628 times)

0 Members and 1 Guest are viewing this topic.

Offline Impatient

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #30 on: December 05, 2017, 01:47:22 pm »
I don't get the response page but it is blocked and I don't use a firewall rule.

 I have squid setup with mitm .

 When I check the real time tab the (clamd table) show's the eicar file is found instream
and also the C-ICAP server is showing that it generated a response page even though
none appeared.

 I had just assumed it was a conflict between one of the other package's I have installed.

Just updated squid to 4.42_1 and I am now getting the response page with http and https.

Offline ekoo

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #31 on: January 09, 2018, 04:22:15 pm »
not sure if its been posted before.

found on Github. https://github.com/darold/squidclamav/issues/42


Quote
Hi Yuri,

Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

So to clear you cache proceed as follow:

1) Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.
2) Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.
3) Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.
4) Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

Works fine, pfsense is a great product.

Offline chudak

  • Full Member
  • ***
  • Posts: 108
  • Karma: +2/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #32 on: January 09, 2018, 04:25:51 pm »
not sure if its been posted before.

found on Github. https://github.com/darold/squidclamav/issues/42


Quote
Hi Yuri,

Sorry for the response delay. I have pfsense 2.4.1 running and the virus test files are well detected.

So to clear you cache proceed as follow:

1) Stop Squid service: on the "Package / Proxy Server: General Settings / General" interface uncheck "Enable Squid Proxy" checkbox and save the configuration. This will stop the service.
2) Execute command: rm -rf /var/squid/cache/*, the cache is destroyed.
3) Rebuild the cache space using: /usr/local/sbin/squid -z (type enter again to have the prompt). The swap space is rebuild.
4) Restart the service from the Web interface by activating the "Enable Squid Proxy" checkbox and save the configuration.

Works fine, pfsense is a great product.

The only problem it did not work !!!

Offline ekoo

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #33 on: January 09, 2018, 04:38:17 pm »


The only problem it did not work !!!

it worked for me... running 2.4.2p1
clicked on the eicar links multiple times.......

Offline chudak

  • Full Member
  • ***
  • Posts: 108
  • Karma: +2/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #34 on: January 09, 2018, 04:41:28 pm »


The only problem it did not work !!!

it worked for me... running 2.4.2p1
clicked on the eicar links multiple times.......


Interesting, what did you do?  and it did not work before 2.4.2p1 ?

Thx

Offline ekoo

  • Jr. Member
  • **
  • Posts: 31
  • Karma: +0/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #35 on: January 09, 2018, 04:45:41 pm »


Interesting, what did you do?  and it did not work before 2.4.2p1 ?

Thx

i did exact those 4 steps... all thru "command promp" webGUI page.

I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

Once the backup file was restored, I could download all the HTTP EICAR files no problem.

then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

http://www.eicar.org/85-0-download.html
« Last Edit: January 09, 2018, 04:50:06 pm by ekoo »

Offline chudak

  • Full Member
  • ***
  • Posts: 108
  • Karma: +2/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #36 on: January 09, 2018, 04:54:43 pm »


Interesting, what did you do?  and it did not work before 2.4.2p1 ?

Thx

i did exact those 4 steps... all thru "command promp" webGUI page.

I originally was on 2.3.4p-something........ upgrade to 2.4.2 broke everything, so I had to fresh install, and restore the XML file.

Once the backup file was restored, I could download all the HTTP EICAR files no problem.

then followed those 4 steps, and i get the virus redirect page. (could not download the EICAR files)

http://www.eicar.org/85-0-download.html

Oops you are right, works for me too now!!!

So seems like 2.4.2-RELEASE-p1 fixed it (and last time I tried on previous version).

Thanks :)

Offline newUser2pfSense

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +1/-0
    • View Profile
Re: Squid ClamAV Not Reporting Virus'
« Reply #37 on: February 07, 2018, 07:39:52 pm »
I'm now on pfSense:
2.4.2-RELEASE-p1
FreeBSD 11.1-RELEASE-p6

Using a Mac mini and MacBook Pro both using Firefox to test the EICAR HTTP files, I completed the 4 steps, twice, and I can still download the HTTP files.  I haven't configured for HTTPS yet.

Another interesting factoid...Using Debian 9 Stretch Linux with Firefox installed, I couldn't download the HTTP files but I still didn't receive the red colored virus message.