Opnsese icap + clamav

[yahoo1983]

Hello,
I've managed to setup a proxy with virus check. When I do Eicar test, I get:

VIRUS FOUND
You tried to upload/download a file that contains the virus: Eicar-Test-Signature
The Http location is: https://secure.eicar.org/eicar.com.txt

For more information contact your system administrator

This message generated by C-ICAP service: avscan?allow204=on&mode=simple
Antivirus engine: clamd-0992/23911

Which is fine. I was wondering though, whether once blocked address is stored somewhere. Because when I try to enter it again, I do not get warning about the virus. The webpage simply doesn't load. Is that normal behaviour or something is missing ?

Thanks

[mimugmail]

Which browser are you using? I'm with FF and test with http (not https) and getting always the error.

[yahoo1983]

I'm testing it on firefox version 56. I noticed it's always on when i donwnload txt, while weird stuff happenening when its zipped.

[yahoo1983]

Ok, I noticed how it works. For some reason the message is displayed:
HTTPS: YES
HTTP: nothing is going on besides firefox trying to load a page (forever)

Ok, I'm clueless. http://rexswain.com/eicar.html
First zip gets forever loading
the second one gets blocked
:)

[mimugmail]

Really? I tried with http and hopping between txt and zip, working fine for me

[yahoo1983]

I'm lost
https://support.kaspersky.com/downloads/eicar/eicar.zip BLOCKED AND MESSAGE DISPLAYED
https://secure.eicar.org/eicar.com.txt BLOCKED AND MESSAGE DISPLAYED
http://rexswain.com/eicar.html first com and zip GETS forever loading, last eicar2.zip BLOCKED AND MESSAGE DISPLAYED

no idea what is going on. Could you check if you get same results ? :)

[mimugmail]

All work for me, and I enabled SSL scanning now. Perhaps your Proxy needs a restart?

[yahoo1983]

I just did that and the problem remains, no idea what it is. I'll try to check all the options again

[mimugmail]

You can go to CLI and check what /var/log/c-icap/server.log says ...

[yahoo1983]

This log doesn't say anything about the failed connections.
In access log I get:
For blocked:
192.168.100.2 TCP_MISS/403 839 GET http://rexswain.com/eicar2.zip - ORIGINAL_DST/206.130.113.68 text/html

For the one that doesn't get loaded even
192.168.100.2 TCP_MISS_ABORTED/000 0 GET http://rexswain.com/eicar.zip - ORIGINAL_DST/206.130.113.68 -

[yahoo1983]

Ok I narrowed down the problem to Intrusion Detection set to enabled. When I disabled the service everything started working fine.

2017-10-10T07:52:47.754432+0200   blocked   213.211.198.62 OPNsense test eicar virus
It's on port 80 and it's dropping all communication.

Can I make it display alert ?

edit. I disabled Intrusion Detection, downloaded rule sets, enabled service again and it's working fine now. The eicar virus test is working. Seems like something went wrong with initial config.

[PCServices]

I'm having the same problem.

Eicar https downloads trigger error page with details, http downloads just cause the page fail to load. OK, so it is still protecting the LAN but it would be nice to show users why they can't get to the page.

Restarting the Intrusion Detection fixes it but only until either the ID rules are updated or until a reboot.

Any suggestions?

[fabian]

Just want to interrupt here: The packets may be dropped by the IPS if enabled which may be the reason for a TCP timeout.

[PCServices]

Thanks, but why are the packets not dropped on an https connection? I am using a transparent proxy so the packets still get decrypted and checked, unless the ID only works on non-encrypted traffic???

[fabian]

The IPS is a network based IPS. It sees only TLS protected traffic and therefore it will not see the eicar test file.
The traffic is only decrypted inside the proxy (and maybe inside ICAP).

So yes, the IPS cannot scan HTTPS downloads - that is why you need a scanning engine for the Proxy as well.