Clamav Scan in ZIP-Files

[guest23448]

Hi there,

I am new to OPNsense and can't manage to scan ZIP-Files with ClamAV. Tested with EICAR test virus (HTTP / HTTPS). It works for non-zip files both HTTP / HTTPS, but not for ZIP. Anyone able to shortly check if it is working on his configuration?

OPNsense: 20.1.1 (but was also not working on 20.1)
C-ICAP: 1.7
ClamAV: 1.7 with engine 0.102.1

Thanks!

[miroco]

These are my ClamAV settings and they successfully scanned and detected a "contaminated" zip-file.

http://www.rexswain.com/eicar.html

Did you also configure Web Proxy (Squid)?


miroco

[guest23448]

Thanks a lot miroco - this solved the problem!

After hours of testing, resetting the cache etc., searching google for terms in the Proxy access log and questioning myself why I always get a TCP_MISS/200 thus test virus remains undetected - it was a stupid typo error in the archive config section of ClamAV   

Compared to your screenshots, I forgot the "M" after the number entered in "Max scan size"...

Now it works!

[guest23448]

Is somebody able to explain the correlation between the scan size settings in Web Proxy - C-ICAP and ClamAV. I do not know if I get it right.

Is the priority fixed (Proxy - C-ICAP-ClamAV) and overrides in worst case?

Specific:

Web Proxy/Administration/ICAP
Preview size: 1024K
Object size (don't know if there is also a size and can't test currently): X

C-ICAP/Antivirus
- Max Object Size: 30M
- Send Percentage data: 25%
- Start send percentage data: 6M

ClamAV
- Max scan size: 100M
- Max file size: 30M

Questions related to scan performance and quality:

• How does proxy preview and C-ICAP send percentage correlate? In my understanding, previewing sends 1024KB of data for every file, returns the status. Files up to 1024KB are completely scanned. If more data is required for files > 1024KB, C-ICAP requests such, whereas C-ICAP only sends the remaining difference between 1024KB and the "scan percentage" from "start scan percentage" to ClamAV and decides based on that. So it doesn't make sense to set the combination "preview", "start send percentage" and "send percentage" in a way that results in values below 1024KB and generates overhead (e.g. 5% of 4MB = 200KB, which is smaller than the preview --> generates an additional loop but no additional data will be sent/scanned and process stopped (probably with a non-virus result). Thus, the best config to avoid this non-sense second round must result in a remaining size >1024KB, right? e.g. 6M 25% --> up to 6M files result in a full scan if preview is not sufficient, for bigger files the remaining data to be scanned starts from 476KB.
• How does max object size in the proxy and C-ICAP correlate to the max file size in ClamAV? Would it be worth to e.g. set object size higher than the max file size so that the 1024KB preview data are sent for huge huge files anyway and a virus can be detected in preview, but ClamAV stops then at the configured file size threshold? Or should it be similar?
• Is the max file size of ClamAV calculated based on input data from C-ICAP thus reflecting the "send percentage" data or based on the full file size? As I understood, it's never clear how big a file is until it's fully transmitted. So the object size in the proxy and C-ICAP should be definitely higher to have max. 30M scanned at the end, right? In my configuration up to 124M (25% of 124MB minus 1024K preview = approx. 30M file size. As file sizes of 124M are fairly rare, it could also mean an increase of the percentage instead.
• If so, I can leave the 100M scan size in ClamAV so that the final max. 30MB file can be extracted up to 100MB in case of an archive.

How do you see this?