Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Opnsese icap + clamav
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Opnsese icap + clamav (Read 9489 times)
yahoo1983
Newbie
Posts: 10
Karma: 0
Opnsese icap + clamav
«
on:
October 06, 2017, 10:56:57 am »
Hello,
I've managed to setup a proxy with virus check. When I do Eicar test, I get:
VIRUS FOUND
You tried to upload/download a file that contains the virus: Eicar-Test-Signature
The Http location is:
https://secure.eicar.org/eicar.com.txt
For more information contact your system administrator
This message generated by C-ICAP service: avscan?allow204=on&mode=simple
Antivirus engine: clamd-0992/23911
Which is fine. I was wondering though, whether once blocked address is stored somewhere. Because when I try to enter it again, I do not get warning about the virus. The webpage simply doesn't load. Is that normal behaviour or something is missing ?
Thanks
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Opnsese icap + clamav
«
Reply #1 on:
October 06, 2017, 11:04:44 am »
Which browser are you using? I'm with FF and test with http (not https) and getting always the error.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #2 on:
October 06, 2017, 11:22:23 am »
I'm testing it on firefox version 56. I noticed it's always on when i donwnload txt, while weird stuff happenening when its zipped.
Logged
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #3 on:
October 06, 2017, 11:29:59 am »
Ok, I noticed how it works. For some reason the message is displayed:
HTTPS: YES
HTTP: nothing is going on besides firefox trying to load a page (forever)
Ok, I'm clueless.
http://rexswain.com/eicar.html
First zip gets forever loading
the second one gets blocked
«
Last Edit: October 06, 2017, 11:37:29 am by yahoo1983
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Opnsese icap + clamav
«
Reply #4 on:
October 06, 2017, 11:30:48 am »
Really? I tried with http and hopping between txt and zip, working fine for me
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #5 on:
October 06, 2017, 11:41:13 am »
I'm lost
https://support.kaspersky.com/downloads/eicar/eicar.zip
BLOCKED AND MESSAGE DISPLAYED
https://secure.eicar.org/eicar.com.txt
BLOCKED AND MESSAGE DISPLAYED
http://rexswain.com/eicar.html
first com and zip GETS forever loading, last eicar2.zip BLOCKED AND MESSAGE DISPLAYED
no idea what is going on. Could you check if you get same results ?
«
Last Edit: October 06, 2017, 11:52:40 am by yahoo1983
»
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Opnsese icap + clamav
«
Reply #6 on:
October 06, 2017, 11:51:02 am »
All work for me, and I enabled SSL scanning now. Perhaps your Proxy needs a restart?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #7 on:
October 06, 2017, 11:53:19 am »
I just did that and the problem remains, no idea what it is. I'll try to check all the options again
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Opnsese icap + clamav
«
Reply #8 on:
October 06, 2017, 11:54:17 am »
You can go to CLI and check what /var/log/c-icap/server.log says ...
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #9 on:
October 06, 2017, 12:00:18 pm »
This log doesn't say anything about the failed connections.
In access log I get:
For blocked:
192.168.100.2 TCP_MISS/403 839 GET
http://rexswain.com/eicar2.zip
- ORIGINAL_DST/206.130.113.68 text/html
For the one that doesn't get loaded even
192.168.100.2 TCP_MISS_ABORTED/000 0 GET
http://rexswain.com/eicar.zip
- ORIGINAL_DST/206.130.113.68 -
Logged
yahoo1983
Newbie
Posts: 10
Karma: 0
Re: Opnsese icap + clamav
«
Reply #10 on:
October 10, 2017, 07:43:09 am »
Ok I narrowed down the problem to Intrusion Detection set to enabled. When I disabled the service everything started working fine.
2017-10-10T07:52:47.754432+0200 blocked 213.211.198.62 OPNsense test eicar virus
It's on port 80 and it's dropping all communication.
Can I make it display alert ?
edit. I disabled Intrusion Detection, downloaded rule sets, enabled service again and it's working fine now. The eicar virus test is working. Seems like something went wrong with initial config.
«
Last Edit: October 10, 2017, 08:07:08 am by yahoo1983
»
Logged
PCServices
Newbie
Posts: 18
Karma: 2
Re: Opnsese icap + clamav
«
Reply #11 on:
January 18, 2018, 06:47:23 pm »
I'm having the same problem.
Eicar https downloads trigger error page with details, http downloads just cause the page fail to load. OK, so it is still protecting the LAN but it would be nice to show users why they can't get to the page.
Restarting the Intrusion Detection fixes it but only until either the ID rules are updated or until a reboot.
Any suggestions?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Opnsese icap + clamav
«
Reply #12 on:
January 18, 2018, 06:56:55 pm »
Just want to interrupt here: The packets may be dropped by the IPS if enabled which may be the reason for a TCP timeout.
Logged
PCServices
Newbie
Posts: 18
Karma: 2
Re: Opnsese icap + clamav
«
Reply #13 on:
January 18, 2018, 07:05:43 pm »
Thanks, but why are the packets not dropped on an https connection? I am using a transparent proxy so the packets still get decrypted and checked, unless the ID only works on non-encrypted traffic???
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Opnsese icap + clamav
«
Reply #14 on:
January 18, 2018, 08:13:50 pm »
The IPS is a network based IPS. It sees only TLS protected traffic and therefore it will not see the eicar test file.
The traffic is only decrypted inside the proxy (and maybe inside ICAP).
So yes, the IPS cannot scan HTTPS downloads - that is why you need a scanning engine for the Proxy as well.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Opnsese icap + clamav