Antivirus is not working

[Q3tNHn]

Hi all,
I am setting up the antivirus by following this tutorial: https://docs.opnsense.org/manual/how-tos/proxyicapantivirusinternal.html
But after I setup everything, I can still download the EICAR test file from http and https like normal. How do I troubleshoot?
I am pretty sure the transparent proxy is working fine, because the webfilter was working normal, it blocks URLs that  should be blocked.
Thank you

[Melroy vd Berg]

I assume:

1. Your anti-virus is not running or installed correctly. Validate your setup and be sure ClamAV for example is running: https://docs.opnsense.org/manual/how-tos/clamav.html
2. You configured ICAP incorrectly. Maybe using the wrong port number or something like that.

[Q3tNHn]

Hi, both c-icap and clamd service are running, but when I execute netstat -n I can't see port 1344 or 3310 opened, on Linux I can see the process name in netstat but I can't do it on *BSD so it is impossible to know what the real ports they bind on. If the configuration is wrong, I assume the service won't start.

[Q3tNHn]

I assume:

1. Your anti-virus is not running or installed correctly. Validate your setup and be sure CLamAV for example is running: https://docs.opnsense.org/manual/how-tos/clamav.html
2. You configured ICAP incorrectly. Maybe using the wrong port number or something like that.

I just checked and everything was fine, configuration are correct. But I was able to download EICAR file like normal?

[meyergru]

Maybe a too obvious question to ask, but did you notice the the blue note here?

To be more specific: What signatures did you download that include the EICAR test signature? You can check under "Services: ClamAV: Configuration".

After I made sure that signatures were loaded, Squid was restarted after having applied all settings and specifically enabled inspecting SSL traffic as well (because the test file is on https://pkg.opnsense.org/test/eicar.com.txt), I got this (I used no transparent proxy, but explicit client settings and no additional web filters):

[Q3tNHn]

Maybe a too obvious question to ask, but did you notice the the blue note here?

To be more specific: What signatures did you download that include the EICAR test signature? You can check under "Services: ClamAV: Configuration".

After I made sure that signatures were loaded, Squid was restarted after having applied all settings and specifically enabled inspecting SSL traffic as well (because the test file is on https://pkg.opnsense.org/test/eicar.com.txt), I got this (I used no transparent proxy, but explicit client settings and no additional web filters):

Yes I do. I restarted the firewall after I downloaded the signatures. 

[meyergru]

That does not answer the question if you are indeed seeing the signatures under "Services: ClamAV: Configuration -> Versions" and is the exact opposite of what the documentation states. You probably would have to download the signatures again after a reboot, not reboot the firewall after you did it.

What I meant was to restart squid after you made sure that you see the downloaded versions.

[Q3tNHn]

That does not answer the question if you are indeed seeing the signatures under "Services: ClamAV: Configuration -> Versions" and is the exact opposite of what the documentation states. You probably would have to download the signatures again after a reboot, not reboot the firewall after you did it.

What I meant was to restart squid after you made sure that you see the downloaded versions.

I did, it doesn't work.