OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: FrenchFries on September 23, 2017, 11:34:50 am

Title: c-icap + clamav logging
Post by: FrenchFries on September 23, 2017, 11:34:50 am

Dear all,

How to mononitor c-icap activity?
Does it log information somewhere?
In the main log, I can read "Tested presence of plugin clamav" or "request c-cap status" but nothing more indicating scanning.

I am using proxy (squid) + clamav + c-icap but it is not in transparent mode.
I am not using transparent mode, because I want to detect any unwanted traffic, inclusing on ports 80 and 443 if coming from a virus.

Does c-icap+ clamav still work in non-transparent mode?

Kind regards,

Title: Re: c-icap + clamav logging
Post by: fabian on September 23, 2017, 11:52:26 am

this has nothing to do with ICAP because it is some kind of a RPC call for a server or proxy.
This is completely independent from the way how a proxy is accessed (transparent or non-transparent) since you are still communicating via HTTP(S). What you will loose in transparent mode is authentication - so you will not be able to require authentication for squid and therefore cannot pass it to the ICAP server. This is irrelevant for AV anyway if you don't need to know who downloaded the infected file - the IP can still be logged.

Yes it writes a log if enabled. Look at the /var/log directory on the OPNsense appliance. I am not sure if there is a log viewer in the GUI.

Title: Re: c-icap + clamav logging
Post by: FrenchFries on September 23, 2017, 11:53:31 am

Got-it, this is /var/log/c-icap, thanks.

The c-icap documentation is requesting to turn-on transparent more, which is obviously not requested for c-icap:
https://docs.opnsense.org/manual/how-tos/proxyicapantivirus.html
You write "Step 2: setup transparent mode".

Transparent mode is dangerous, as any tcp 80 data can go through the proxy without authentication.
Espacially, trojans and virus can use port 80 to crush your information system.

Correct me if I am wrong:
Turning on transparent mode in a virus scanning environment is just a bad choice.
You should warn users more about transparent mode.

Title: Re: c-icap + clamav logging
Post by: FrenchFries on September 23, 2017, 12:05:31 pm

OK, my fault, you write:

https://docs.opnsense.org/manual/how-tos/proxytransparent.html
"When configured wrong you may end up in lessing your security defenses significantly instead of enhancing them. Using a transparent https proxy can be a dangerous practice and may not be allowed by the services you use, for instance e-banking."

You should add a warning about viruses and trojans being able to use port 80.

Title: Re: c-icap + clamav logging
Post by: fabian on September 23, 2017, 12:29:51 pm

Quote from: FrenchFries on September 23, 2017, 12:05:31 pm

You should add a warning about viruses and trojans being able to use port 80.

This is something that should be clear to anyone who is configuring a firewall:
Any application can send data to any port if the firewall allows it.