Hi all,
I am setting up the antivirus by following this tutorial: https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
But after I setup everything, I can still download the EICAR test file from http and https like normal. How do I troubleshoot?
I am pretty sure the transparent proxy is working fine, because the webfilter was working normal, it blocks URLs that should be blocked.
Thank you
I assume:
1. Your anti-virus is not running or installed correctly. Validate your setup and be sure ClamAV for example is running: https://docs.opnsense.org/manual/how-tos/clamav.html
2. You configured ICAP incorrectly. Maybe using the wrong port number or something like that.
Hi, both c-icap and clamd service are running, but when I execute netstat -n I can't see port 1344 or 3310 opened, on Linux I can see the process name in netstat but I can't do it on *BSD so it is impossible to know what the real ports they bind on. If the configuration is wrong, I assume the service won't start.
Quote from: Melroy vd Berg on December 11, 2024, 12:34:28 AM
I assume:
1. Your anti-virus is not running or installed correctly. Validate your setup and be sure CLamAV for example is running: https://docs.opnsense.org/manual/how-tos/clamav.html
2. You configured ICAP incorrectly. Maybe using the wrong port number or something like that.
I just checked and everything was fine, configuration are correct. But I was able to download EICAR file like normal?
Maybe a too obvious question to ask, but did you notice the the blue note here (https://docs.opnsense.org/manual/how-tos/clamav.html)?
To be more specific: What signatures did you download that include the EICAR test signature? You can check under "Services: ClamAV: Configuration".
After I made sure that signatures were loaded, Squid was restarted after having applied all settings and specifically enabled inspecting SSL traffic as well (because the test file is on https://pkg.opnsense.org/test/eicar.com.txt), I got this (I used no transparent proxy, but explicit client settings and no additional web filters):
Quote from: meyergru on December 11, 2024, 10:00:10 PMMaybe a too obvious question to ask, but did you notice the the blue note here (https://docs.opnsense.org/manual/how-tos/clamav.html)?
To be more specific: What signatures did you download that include the EICAR test signature? You can check under "Services: ClamAV: Configuration".
After I made sure that signatures were loaded, Squid was restarted after having applied all settings and specifically enabled inspecting SSL traffic as well (because the test file is on https://pkg.opnsense.org/test/eicar.com.txt), I got this (I used no transparent proxy, but explicit client settings and no additional web filters):
Yes I do. I restarted the firewall after I downloaded the signatures.
That does not answer the question if you are indeed seeing the signatures under "Services: ClamAV: Configuration -> Versions" and is the exact opposite of what the documentation states. You probably would have to download the signatures again after a reboot, not reboot the firewall after you did it.
What I meant was to restart squid after you made sure that you see the downloaded versions.
Quote from: meyergru on December 13, 2024, 01:04:32 AMThat does not answer the question if you are indeed seeing the signatures under "Services: ClamAV: Configuration -> Versions" and is the exact opposite of what the documentation states. You probably would have to download the signatures again after a reboot, not reboot the firewall after you did it.
What I meant was to restart squid after you made sure that you see the downloaded versions.
I did, it doesn't work.