Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
test squid + clamav
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Wed Aug 22, 2012 2:38 am    Post subject: test squid + clamav Reply with quote

Hi all,

Is there a good way to test that squid and clamav are working and preventing viruses from being downloaded?

I went to the wikipedia and found eicar or something and was able to download that in both text and zip file forms. That would indicate to me that antivirus is not working.


Walter
Back to top
View user's profile Send private message
Odward
n00b
n00b


Joined: 21 Mar 2012
Posts: 65

PostPosted: Wed Aug 22, 2012 6:32 am    Post subject: Reply with quote

Mine blocks the eicar test files from Here.
Although not the httpS versions since I don't have secure connections via proxy.

Did you setup the c-icap server and tell squid about it? Was squid installed with the icap-client USE flag?

I have app-antivirus/clamav, net-proxy/squid, net-proxy/squidclamav and net-proxy/c-icap installed -
and net-proxy/squidguard <- although this isn't necessary if you just want to block viruses.

If all of that is ok, you will probably need to check your config files.
/etc/squid/squid.conf
/etc/squidclamav.conf
/etc/c-icap/c-icap.conf

You can look at /var/log/clamav/clamd.log but it only says much if it actually finds a virus.
You can also
Code:
tail -f /var/log/c-icap/server.log

then open some websites, that file should have all sorts of activity to indicate it is scanning.

If you're still at a loss, I just set all this up a few days ago for my home so just ask and I can probably
help with the config files.
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Wed Aug 22, 2012 1:05 pm    Post subject: Reply with quote

Hi Odward,

Thanks for your reply.

Yes, I setup the c-icap server and squid is aware of it. Yes, squid was built with the icap-client USE flag.

Yes, I also have squidguard and adzapper, although it appears adzapper is not being used recently. (It appeared that both squidguard and adzapper were being used for a little while after I had setup clamav, squidguard, and c-icap, but recently, I am getting ads again).

I am using syslog for managing most of my log files and as a result, it is intertwined with other logs. I'll poke around my logs to see if I can find anything interesting. I will try that eicar site again.


Thanks,

Walter
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Fri Aug 24, 2012 4:08 am    Post subject: Reply with quote

Hi Odward,

After making my logs a bit more verbose, this is what I got:

Code:

Aug 24 00:02:59 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo
nse
Aug 24 00:02:59 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]
Aug 24 00:03:00 Dell-server c-icap: : 127.0.0.1 127.0.0.1 OPTIONS squidclamav 500
Aug 24 00:03:00 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo
nse
Aug 24 00:03:00 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]



I tried this setup using documentation from one of the links below. This is my relevant squid.conf (or was my squid.conf), I have updated below this one.
Code:

#http://wiki.squid-cache.org/Features/ICAP
#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html
#http://c-icap.sourceforge.net/install.html
#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html
icap_enable          on

icap_preview_enable  on
icap_preview_size    128
icap_send_client_ip  on

icap_service         service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav
icap_service         service_avi respmod_precache 1 icap://localhost:1344/srv_clamav

adaptation_service_set         class_antivirus service_avi service_avi_req
adaptation_access          class_antivirus allow all


Code:

# use i-cap to enable ClamAV to scan content for viruses
#http://wiki.squid-cache.org/Features/ICAP
#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html
#http://c-icap.sourceforge.net/install.html
#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html
#http://squidclamav.darold.net/installv6.html
icap_enable          on

icap_send_client_ip on
icap_send_client_username on

icap_client_username_encode off
icap_client_username_header X-Authenticated-User

icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all



According to another post, I am using the wrong URL. What are you using?


Walter
Back to top
View user's profile Send private message
Odward
n00b
n00b


Joined: 21 Mar 2012
Posts: 65

PostPosted: Fri Aug 24, 2012 5:14 am    Post subject: Reply with quote

Quote:
icap_enable on

icap_send_client_ip on
icap_send_client_username on

icap_client_username_encode off
icap_client_username_header X-Authenticated-User

icap_preview_enable on
icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
adaptation_access service_resp allow all


That entry of yours is exactly what I'm using.

In /etc/c-icap/c-icap.conf
Do you have
Code:
Service squidclamav squidclamav.so

If you had that configured from your initial settings it might have been similar to
Code:
Service srv_clamav srv_clamav.so

and assuming we're both using the same stable versions from portage, the squidclamav.so should be the correct version.

***Edit - Just an FYI of sorts
In c-icap.conf - "Service squidclamav squidclamav.so" the squidclamav is arbitrary in that you could rename the service
to whatever you want. If you used a custom name, the squid.conf file would have to use the same name at the end of the icap:url
because that's how it knows what service it is trying to contact. The squidclamav.so is the important part because that is the shared
object file used by the service. I'm assuming a previous version used srv_clamav.so but that file doesn't exist on my system.

And just in case - in c-icap.conf you should have ServicesDir followed by the /path/to your squidclamav.so in my case it's
Code:
ServicesDir /usr/lib64/c_icap

Alternately for "Service" you could use
Code:
Service squidclamav /usr/lib64/c_icap/squidclamav.so

Or the correct path if it's different on your system.

And, if this wasn't all for naught, don't forget to restart your c-icap with the new config :D
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Fri Aug 24, 2012 2:09 pm    Post subject: Reply with quote

Hi,

I forgot about c-icap.conf. I had edited it to some point to match the URL, but it was set to clamav. I changed it to squidclamav to match squid, restarted and I believe I am still having the same problem.

I will take a look again later, it seems squid is banning it because it is repeatedly not working (so the logs are not as verbose as I like until it tries to use it again).


Walter
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Sat Aug 25, 2012 4:22 am    Post subject: Reply with quote

Hi Odward,

I set the DebugLevel to 10 in c-icap.conf. I now see that squidclamav is not initializing, but I don't appear to see anything else that stands out as helpful / useful.

It would be helpful if I can see there is a configuration flaw in my squidclamav.conf or if there is a library mismatch.

Code:

maxsize 5000000
redirect http://router/squid-clamav/virus-found.html
squidguard /usr/bin/squidGuard
clamd_local /var/run/clamav/clamd.sock

timeout 1
logredir 1

dnslookup 1
trustcache 0



I am rebuilding a bunch of libraries with the hope that maybe a library was out of sync after an update.


Walter
Back to top
View user's profile Send private message
Odward
n00b
n00b


Joined: 21 Mar 2012
Posts: 65

PostPosted: Sun Aug 26, 2012 3:46 am    Post subject: Reply with quote

I have 'dnslookup 0' because the config file says if that is enabled (1) you must use "trustclient with hostname in the regexp"
and you must have a DNS server on your network.

I don't have a real DNS server, and you don't appear to be using trustclient unless you omitted that from your config post.

Also the trustcache, which might need to be trust_cache, according to http://squidclamav.darold.net/config.html is "obsolete/unused" in version 6.x

This last part may not concern you, but just in case.
The last thing I can think of offhand, from my limited experience, would be to ask if you changed the default User / Group of c-icap yet?
I had mine working first, but afterwards I ceased having it run as root and I believe I had to be sure clamd and c-icap were both a member
of the same group so c-icap could use the clamd socket (by default my clamd.sock was only available to owner/group). I also think I had to
add that group to the database used by squidGuard so it could read the blacklisted / whitelisted sites, since it is apparently called by the
c-icap server via squidclamav.conf and ignores the url_rewrite directives in squid.conf entirely. If I comment "squidguard ..." in squidclamav.conf
I still get AV scans but I lose ad filtering, even with url_rewrite rules in place and working in squid.conf before I even installed squidclamav. So
for me, so far, that "squidguard /usr/bin/squidGuard" is required to retain ad filtering (even though the squidclamav.conf says the url_rewrites
in squid.conf are the preferred method!).
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Sun Aug 26, 2012 12:44 pm    Post subject: Reply with quote

Hi Odward,

Thanks for your reply. I commented trustcache 0 as when squidclamav was strarting it would complain about that but still start. I don't see any errors yet, but I also can download that eicar file (perhaps because it is in my cache).

I'll let this run for a while to see if squid is using squidclamav or if it is still blocking it.


Thanks,

Walter
Back to top
View user's profile Send private message
walterw
Guru
Guru


Joined: 17 Oct 2003
Posts: 430

PostPosted: Mon Sep 10, 2012 2:49 am    Post subject: Reply with quote

Hi Odward,

Thanks for your help. I decided to take a look at it this evening and found that apparently having the line:

Code:

squidguard /usr/bin/squidGuard


was causing squidGuard to never initialize. I commented it out and it now works. I believe I am using adzapper and squidGuard along with squidClamav for anti-virus checking now. I think before, it was trying to do squidGuard twice.

Anyways, it looks like it is working. Maybe this will help someone else.

The only downside now is, my Internet appears to be a little sluggish now.


Walter
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum