squidclamav not scanning eicar correctly

[kenhen93]

Hi, I am trying to get squidclamav to work with a commerical ftp service called Move It DMZ to now has built in icap antivirus support. When setting up the settings in Move It DMZ, it has a test to send an eicar to the icap antivirus server. I also sent through another eicar file via FTP.

Here are the logs (I removed the IP for security purposes).

Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_init_request_data: initializing request data handler. Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_check_preview_handler: processing preview header. Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG extract_http_info: method GET Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG extract_http_info: url http://IP/eicar.com Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_check_preview_handler: URL requested: http:///eicar.com Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_check_preview_handler: Content-Length: 0 Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_check_preview_handler: can not begin to scan url: No preview data. Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_release_request_data: Releasing request data.

Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_init_request_data: initializing request data handler. Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_check_preview_handler: processing preview header. Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG extract_http_info: method GET Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG extract_http_info: url http://IP/eicar.com Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_check_preview_handler: URL requested: http:///eicar.com Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_check_preview_handler: Content-Length: 0 Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_check_preview_handler: can not begin to scan url: No preview data. Tue Feb 11 09:09:43 2014, 4268/1689478912, DEBUG squidclamav_release_request_data: Releasing request data.

I believe I have setup squidclamav correct. Clamd find eicar as a virus when I scan it.

What is going on here? Thank you for any help.

[darold]

Hi,

The problem is explain in the following log entry:

Mon Feb 10 15:54:20 2014, 9384/484210432, DEBUG squidclamav_check_preview_handler: can not begin to scan url: No preview data.

You need to enable preview at the proxy side. In the squid.conf file you must set the following directive:

icap_preview_enable on
icap_preview_size 1024

A complete list of required Squid settings is exposed here : http://squidclamav.darold.net/installv6.html

[kenhen93]

Hi, thank you for the quick reply. I believe I already have these setting in my squid config

icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all

That is at the end of my /etc/squid/squid.conf

ps -ef | grep squid root 4523 1 0 09:12 ? 00:00:00 squid -f /etc/squid/squid.conf squid 4526 4523 0 09:12 ? 00:00:01 (squid) -f /etc/squid/squid.conf squid 4527 4526 0 09:12 ? 00:00:00 (unlinkd) squid 10741 1 0 11:00 ? 00:00:00 /usr/local/bin/c-icap -f /etc/c-icap.conf squid 10742 10741 0 11:00 ? 00:00:00 /usr/local/bin/c-icap -f /etc/c-icap.conf squid 10744 10741 0 11:00 ? 00:00:00 /usr/local/bin/c-icap -f /etc/c-icap.conf squid 10745 10741 0 11:00 ? 00:00:00 /usr/local/bin/c-icap -f /etc/c-icap.conf

[kenhen93]

Here are the other configs

/etc/squidclamav.conf

maxsize 5000000 redirect http://localhost/cgi-bin/clwarn.cgi clamd_local /var/run/clamav/clamd.sock timeout 1 logredir 0 dnslookup 1

/etc/c-icap.conf this config is pretty normal except I change the user/group, ServerName, ServerAdmin, and added this at the end

Service squidclamav /usr/local/c-icap/lib/c_icap/squidclamav.so

[darold]

Your configuration looks pretty good, can you try to download the following test file:

  http://c.rosu.free.fr/eicar.zip

This is a compressed eicar test virus file. This file comes from a test server http://www.rosu.fr/tav.html that I now is really working.

Please report here the squidclamav log entries resulting of this download.

[kenhen93]

Here are the log entries from /usr/local/var/log/server.log

Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_init_request_data: initializing request data handler. Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_check_preview_handler: processing preview header. Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG extract_http_info: method GET Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG extract_http_info: url http://IP/972609582 Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_check_preview_handler: URL requested: http://IP/972609582 Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_check_preview_handler: Content-Length: 0 Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_check_preview_handler: can not begin to scan url: No preview data. Tue Feb 11 15:04:53 2014, 10745/4051769088, DEBUG squidclamav_release_request_data: Releasing request data.

[darold]

Hum, I don't understand. What is the url http://IP/972609582 ? Could you explain me shortly how url http://c.rosu.free.fr/eicar.zip is transform to url http://IP/972609582 ? Have you instruct your ftp server to download the file for you and then it give you a new URL ?

[kenhen93]

Hi, I am sorry but I go in and change the actual IP to 'IP' for security reasons. I downloaded the eicar file to my machine then uploaded to the FTP file which asks the icap server to scan it.

On Tue, Feb 11, 2014 at 3:25 PM, Darold notifications@github.com wrote:

Hum, I don't understand. What is the url http://IP/972609582 ? Could you explain me shortly how url http://c.rosu.free.fr/eicar.zip is transform to url http://IP/972609582 ? Have you instruct your ftp server to download the file for you and then it give you a new URL ?

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-34801642 .

[darold]

Yes I've understood that the IP keyword is a manual substitution :-) What I was asking is how the file eicar was transmitted to your FTP server. Then if I understand well your explanation:

1)  your are uploading a file the FTP server
2) the server stores the file under a unique Id or unique url shortcut
3) it send a GET request to that url through a Squid proxy server
4) the Squid proxy use c-icap+squidclamav to the scan the file
5) if there's no virus found the file is "officially" available on the FTP server

Is that right ?

Do you have tried to download the virus test file directly with you squid proxy, I mean setting the proxy parameters in your browser or environment. You must first be sure that squid+squidclamav is working well and when you will be sure of that, try to use the FTP server. What I want you to do with http://c.rosu.free.fr/eicar.zip is to download it directly using your squid server as a proxy to be sure that every thing is working well.

Take care that now the test file is now in your proxy cache, so you must delete/purge the object from the cache or reinitialize it if it is more easy for you. You can also try an other file from http://www.rosu.fr/tav.html that you haven't download yet.

Please report here the squidclamav log entries resulting of this "direct" download.

[kenhen93]

OK I think I did this correctly. I went to another server and install c-icap to use the client to send a file. I am only seeing new logs from the access.log, not server.

./c-icap-client -i virusscan.server -p 1344 ICAP server:virusscan.server, ip:IP, port:1344

OPTIONS: Allow 204: Yes Preview: 1024 Keep alive: Yes

ICAP HEADERS: ICAP/1.0 200 OK: Methods:RESPMOD, REQMOD Service:C-ICAP/0.3.2 server - Echo demo service ISTag:CI0001-XXXXXXXXX Transfer-Preview:* Options-TTL:3600 Date:Wed, 12 Feb 2014 14:59:17 GMT Preview:1024 Allow:204 X-Include:X-Authenticated-User, X-Authenticated-Groups Encapsulated:null-body=0

./c-icap-client -i virusscan.server -p 1344 -f eicar_niveau10.zip -s "srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple" -d 10 OK done with options! ICAP server:virusscan.server, ip:IP, port:1344

Preview:-1 keepalive:0,allow204:0 OK allocating request going to send request Allocate a new entity of type 1 Allocate a new entity of type 3 Going to add 3 response headers Add resp header: Date: Wed Feb 12 10:05:37 2014 Add resp header: Last-Modified: Wed Feb 12 10:05:37 2014 Add resp header: Content-Length: 2445 Error reading data (read return=0, errno=0) Done

./c-icap-client -i m-qa-linuxav1.advertising.aol.com -p 1344 -f eicar_niveau10.zip -v ICAP server:m-qa-linuxav1.advertising.aol.com, ip:64.12.227.215, port:1344

No modification needed (Allow 204 response)

ICAP HEADERS: ICAP/1.0 204 Unmodified: Server:C-ICAP/0.3.2 Connection:keep-alive ISTag:CI0001-XXXXXXXXX

tail -f access.log 12/Feb/2014:10:04:32 -0500, IP IP OPTIONS echo 200 12/Feb/2014:10:04:32 -0500, IP IP RESPMOD echo 204 12/Feb/2014:10:05:15 -0500, IP IP OPTIONS srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple 404 12/Feb/2014:10:05:37 -0500, IP IP OPTIONS srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple 404

Thank you for help.

On Tue, Feb 11, 2014 at 3:59 PM, Darold notifications@github.com wrote:

Yes I've understood that the IP keyword is a manual substitution :-) What I was asking is how the file eicar was transmitted to your FTP server. Then if I understand well your explanation:

1) your are uploading a file the FTP server 2) the server stores the file under a unique Id or unique url shortcut 3) it send a GET request to that url through a Squid proxy server 4) the Squid proxy use c-icap+squidclamav to the scan the file 5) if there's no virus found the file is "officially" available on the FTP server

Is that right ?

Do you have tried to download the virus test file directly with you squid proxy, I mean setting the proxy parameters in your browser or environment. You must first be sure that squid+squidclamav is working well and when you will be sure of that, try to use the FTP server. What I want you to do with http://c.rosu.free.fr/eicar.zip is to download it directly using your squid server as a proxy to be sure that every thing is working well.

Take care that now the test file is now in your proxy cache, so you must delete/purge the object from the cache or reinitialize it if it is more easy for you. You can also try an other file from http://www.rosu.fr/tav.html that you haven't download yet.

Please report here the squidclamav log entries resulting of this "direct" download.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-34806072 .

[darold]

Ok, sorry for the response delay. Using your test command, here is the response I have:

c-icap-client -i 127.0.0.1 -p 1344 -f eicar.zip -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -d 3 
ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

Preview response was with status: 500 
Done

and looking at c-icap log file:

squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler.
squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data.
squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler.
squidclamav.c(331) squidclamav_check_preview_handler: DEBUG processing preview header.
squidclamav.c(334) squidclamav_check_preview_handler: DEBUG preview data size is 271
squidclamav.c(338) squidclamav_check_preview_handler: ERROR bad http header, aborting.
squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data.

Your test can not works because there's no http header with the test file. There's -hx and -rhx command line options to c-icap-client that may help but I can't find how they work.

Squidclamav need the http header to check the Content-Length and the Content-Type before scanning. It can not just be used as a file scanner, request must comes from a proxy. Here is the c-icap log entries where your try to download a virus test file through squid:

squidclamav.c(1323) extract_http_info: DEBUG method GET squidclamav.c(1334) extract_http_info: DEBUG url http://c.rosu.free.fr/eicar_niveau1.zip squidclamav.c(392) squidclamav_check_preview_handler: DEBUG URL requested: http://c.rosu.free.fr/eicar_niveau1.zip squidclamav.c(451) squidclamav_check_preview_handler: DEBUG Content-Length: 474 squidclamav.c(460) squidclamav_check_preview_handler: DEBUG Content-Type: application/zip squidclamav.c(604) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1559) dconnect: entering. squidclamav.c(1578) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(627) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(635) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(639) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(656) squidclamav_end_of_data_handler: DEBUG Write 478 bytes on 474 to socket squidclamav.c(672) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND ERROR: Unable to find specified template: /usr/local/share/c_icap/templates//squidclamav/en/MALWARE_FOUND squidclamav.c(679) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(688) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(693) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data.

So as you see squidclamav is working well in his standard usage or in the usage it was designed for.

Could you explain how you are trying to integrate the c-icap/antivirus settings into the Move It DMZ? How does Move It DMZ is quering the c-icap server (using his own icap client or througth squid proxy)? I can patch squidclamav to accept scanning without http header but for now I just need more information.

Regards,

[darold]

I've found this URL that explain the way MOVE it DMZ is working:

https://ftps.nslc.org/doc/en/MOVEitDMZ_FeatureFocus_ContentScanning.htm

ok, I understand now. I will patch squidclamav. Could you give me some few hours and be kind enough to test it with MOVE it DMZ? I don't have such a box at my hand.

[kenhen93]

Yes, Thank you! I really want to get this working with Move It DMZ. I have a QA Move It DMZ setup that I have been testing. I already talked to their support and told them I would be interesting in writing a white paper if I can get squidclamav working. I want to use squidclamav over Macfee which my work already uses.

On Thu, Feb 13, 2014 at 12:28 PM, Darold notifications@github.com wrote:

I've found this URL that explain the way MOVE it DMZ is working:

https://ftps.nslc.org/doc/en/MOVEitDMZ_FeatureFocus_ContentScanning.htm

ok, I understand now. I will patch squidclamav. Could you give me some few hours and be kind enough to test it with MOVE it DMZ? I don't have such a box at my hand.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35003127 .

[kenhen93]

not sure if this help

This is what move it dmz support is saying it expect back from the AV icap server

I had to ask one of the engineers about this one. DMZ is looking for a typical HTTP 200 response for 'good' files and is searching for "X-Infection-Found" in the response for any malicious files.

On Thu, Feb 13, 2014 at 12:54 PM, Ken Henry kenhen93@gmail.com wrote:

Yes, Thank you! I really want to get this working with Move It DMZ. I have a QA Move It DMZ setup that I have been testing. I already talked to their support and told them I would be interesting in writing a white paper if I can get squidclamav working. I want to use squidclamav over Macfee which my work already uses.

On Thu, Feb 13, 2014 at 12:28 PM, Darold notifications@github.com wrote:

I've found this URL that explain the way MOVE it DMZ is working:

https://ftps.nslc.org/doc/en/MOVEitDMZ_FeatureFocus_ContentScanning.htm

ok, I understand now. I will patch squidclamav. Could you give me some few hours and be kind enough to test it with MOVE it DMZ? I don't have such a box at my hand.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35003127 .

[darold]

Valide file sent to c-icap server:

c-icap-client -i 127.0.0.1 -p 1344 -f correct_test_file.txt -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

No modification needed (Allow 204 response)

ICAP HEADERS: ICAP/1.0 204 Unmodified: Server:C-ICAP/0.3.2 Connection:keep-alive ISTag:CI0001-1-squidclamav-10

Infected file sent to c-icap server:

c-icap-client -i 127.0.0.1 -p 1344 -f eicar.zip -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

[... removed HTLM content of the ICAP template ...]

ICAP HEADERS: ICAP/1.0 200 OK: Server:C-ICAP/0.3.2 Connection:keep-alive ISTag:CI0001-1-squidclamav-10 Encapsulated:res-hdr=0, res-body=374

RESPMOD HEADERS: Date:Thu Feb 13 23:20:26 2014 Last-Modified:Thu Feb 13 23:20:26 2014 HTTP/1.0 403 Forbidden: Server:C-ICAP Connection:close Content-Type:text/html X-Virus-ID:Eicar-Test-Signature X-Infection-Found:Type=0; Resolution=2; Threat=Eicar-Test-Signature; Content-Language:en Content-Length:577 Via:ICAP/1.0 devel (C-ICAP/0.3.2 SquidClamav/Antivirus service )

Here is the debug informations printed to c-icap log file:

squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data. squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(329) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(332) squidclamav_check_preview_handler: DEBUG preview data size is 271 squidclamav.c(467) squidclamav_check_preview_handler: WARNING bad http header, can not check URL, Content-Type and Content-Length. squidclamav.c(497) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(595) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1603) dconnect: entering. squidclamav.c(1622) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(618) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(626) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(630) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(647) squidclamav_end_of_data_handler: DEBUG Write 275 bytes on 271 to socket squidclamav.c(663) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(670) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(679) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(684) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data.

Ok, the support for ICAP request with no HTTP header was added in commit 1f0d351, I've also run autoconf and automake again on the repository to update configure files and makefiles.

Please give a try to latest code from github and let me know.

Thanks for your help.

[kenhen93]

Hi, thanks for updating! It still does not seem to be working, so let me tell you what I exactly did, so you can let me know if i did something wrong

Clicked on your revision link in the previous e-mail, then browse code, then download as zip. Put the zip on my squidclamav server, extracted, ran

./configure --with-c-icap=/usr/local/c-icap/
make
make install

ls -lsa /usr/local/c-icap/lib/c_icap/squidclamav.so

112 -rwxr-xr-x 1 root root 111647 Feb 14 09:49 /usr/local/c-icap/lib/c_icap/squidclamav.so

restarted squid, c-icap

From another server ftp> put eicar_niveau11.zip local: eicar_niveau11.zip remote: eicar_niveau11.zip 227 Entering Passive Mode (149,174,109,82,11,184) 150 STOR command started 226 Transfer complete. No integrity check. File ID 973395619 2703 bytes sent in 5.8e-05 secs (46603.45 Kbytes/sec)

logs from squidclamav server

==> server.log <== Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(275) squidclamav_init_request_data: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG initializing request data handler. Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(329) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG processing preview header. Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(1314) extract_http_info: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG method GET Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(1325) extract_http_info: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG url http://10.74.13.45/973395619 Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(381) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG URL requested: http://10.74.13.45/973395619 Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(421) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG Content-Length: 0 Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(445) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG can not begin to scan url: No preview data. Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(296) squidclamav_release_request_data: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG Releasing request data.

==> access.log <== 14/Feb/2014:10:01:38 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 200

Thanks!

On Thu, Feb 13, 2014 at 5:46 PM, Darold notifications@github.com wrote:

Valide file sent to c-icap server:

c-icap-client -i 127.0.0.1 -p 1344 -f correct_test_file.txt -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v

ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

No modification needed (Allow 204 response)

ICAP HEADERS: ICAP/1.0 204 Unmodified: Server:C-ICAP/0.3.2 Connection:keep-alive ISTag:CI0001-1-squidclamav-10

Infected file sent to c-icap server:

c-icap-client -i 127.0.0.1 -p 1344 -f eicar.zip -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v

ICAP server:127.0.0.1, ip:127.0.0.1, port:1344

[... removed HTLM content of the ICAP template ...]

ICAP HEADERS: ICAP/1.0 200 OK: Server:C-ICAP/0.3.2 Connection:keep-alive ISTag:CI0001-1-squidclamav-10 Encapsulated:res-hdr=0, res-body=374

RESPMOD HEADERS: Date:Thu Feb 13 23:20:26 2014 Last-Modified:Thu Feb 13 23:20:26 2014 HTTP/1.0 403 Forbidden: Server:C-ICAP Connection:close Content-Type:text/html X-Virus-ID:Eicar-Test-Signature X-Infection-Found:Type=0; Resolution=2; Threat=Eicar-Test-Signature; Content-Language:en Content-Length:577 Via:ICAP/1.0 devel (C-ICAP/0.3.2 SquidClamav/Antivirus service )

Here is the debug informations printed to c-icap log file:

squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data. squidclamav.c(275) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(329) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(332) squidclamav_check_preview_handler: DEBUG preview data size is 271 squidclamav.c(467) squidclamav_check_preview_handler: WARNING bad http header, can not check URL, Content-Type and Content-Length. squidclamav.c(497) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(595) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1603) dconnect: entering. squidclamav.c(1622) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310 ) squidclamav.c(618) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(626) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(630) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(647) squidclamav_end_of_data_handler: DEBUG Write 275 bytes on 271 to socket squidclamav.c(663) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(670) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(679) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(684) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page.

squidclamav.c(296) squidclamav_release_request_data: DEBUG Releasing request data.

Ok, the support for ICAP request with no HTTP header was added in commit 1f0d351 https://github.com/darold/squidclamav/commit/1f0d351, I've also run autoconf and automake again on the repository to update configure files and makefiles.

Please give a try to latest code from github and let me know.

Thanks for your help.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35035741 .

[darold]

Hi,

Yes that the right way to proceed. It seems that preview is not enabled on your FTP server:

Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(421) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG Content-Length: 0
Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(445) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG can not begin to scan url: No preview data.

That's my fault, I've been persuaded that it was possible to enable preview on the Move It DMZ ICAP configuration, but that don't seems the case.

I have patched squidclamav again to remove this mandatory option, please try again by downloading latest code and compile it again exactly as you've done.

[kenhen93]

Hi Darold,

Recent test:

dowloaded code again, it was the same directory after unzipping as before squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c (not sure if that matters)

ls -lsa /usr/local/c-icap/lib/c_icap/squidclamav.so

112 -rwxr-xr-x 1 root root 111647 Feb 14 13:02 /usr/local/c-icap/lib/c_icap/squidclamav.so

ftp> put eicar_niveau5.zip local: eicar_niveau5.zip remote: eicar_niveau5.zip 227 Entering Passive Mode (149,174,109,82,11,185) 150 STOR command started 226 Transfer complete. No integrity check. File ID 973507405 1368 bytes sent in 4.3e-05 secs (31813.95 Kbytes/sec)

==> /usr/local/var/log/server.log <==

Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(275) squidclamav_init_request_data: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG initializing request data handler. Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(329) squidclamav_check_preview_handler: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG processing preview header. Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(1314) extract_http_info: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG method GET Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(1325) extract_http_info: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG url http://10.74.13.45/973507405 Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(381) squidclamav_check_preview_handler: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG URL requested: http://10.74.13.45/973507405 Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(421) squidclamav_check_preview_handler: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG Content-Length: 0 Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(445) squidclamav_check_preview_handler: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG can not begin to scan url: No preview data. Fri Feb 14 13:08:38 2014, 32591/3585332992, squidclamav.c(296) squidclamav_release_request_data: Fri Feb 14 13:08:38 2014, 32591/3585332992, DEBUG Releasing request data.

==> /usr/local/var/log/access.log <== 14/Feb/2014:13:08:38 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 200 Here is a picture of the Move It DMZ content scanning settings.

I really appreciate your help on this! Thank you!

Ken

On Fri, Feb 14, 2014 at 11:10 AM, Darold notifications@github.com wrote:

Hi,

Yes that the right way to proceed. It seems that preview is not enabled on your FTP server:

Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(421) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG Content-Length: 0 Fri Feb 14 10:11:50 2014, 19417/1403123456, squidclamav.c(445) squidclamav_check_preview_handler: Fri Feb 14 10:11:50 2014, 19417/1403123456, DEBUG can not begin to scan url: No preview data.

That's my fault, I've been persuaded that it was possible to enable preview on the Move It DMZ ICAP configuration, but that don't seems the case.

I have patched squidclamav again to remove this mandatory option, please try again by downloading latest code and compile it again exactly as you've done.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35097295 .

[darold]

Hi Ken,

Sorry but it seems that you have not perform a 'make install', message "DEBUG can not begin to scan url: No preview data." is still the same as before. In last commit 3d18ad1I have remove this message and it is now replaced at line 475 of squiclamav.c by the simple warning "WARNING can not begin to scan url: No preview data.". Or perhaps you have not restarted c-icap server.

Following your Move It DMZ configuration, you must take care to set a grater value to maxsize, like 20000000, in squidclamav.conf and same 20MB to StreamMaxLength in clamd.conf. If I understand well the configuration of Move It DMZ it will not send file larger than 15000000.

[kenhen93]

Hi,

This is still not working. I am getting the same error message. This is how I am downloading and compiling squidclamav

wget https://github.com/darold/squidclamav/archive/1f0d35103b4f389a08313dc675344fb41eb5b70c.zip mv 1f0d35103b4f389a08313dc675344fb41eb5b70c 1f0d35103b4f389a08313dc675344fb41eb5b70c.zip mv 1f0d35103b4f389a08313dc675344fb41eb5b70c.zip squid-1f0d35103b4f389a08313dc675344fb41eb5b70c.zip unzip squid-1f0d35103b4f389a08313dc675344fb41eb5b70c.zip cd squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c

squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c]# ./configure --with-c-icap=/usr/local/c-icap/ checking whether to enable maintainer-specific portions of Makefiles... no checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking for style of include used by make... GNU checking dependency style of gcc... gcc3 checking whether gcc and cc understand -c and -o together... yes checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking whether byte ordering is bigendian... no checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking how to print strings... printf checking for a sed that does not truncate output... /bin/sed checking for fgrep... /bin/grep -F checking for ld used by gcc... /usr/bin/ld checking if the linker (/usr/bin/ld) is GNU ld... yes checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B checking the name lister (/usr/bin/nm -B) interface... BSD nm checking whether ln -s works... yes checking the maximum length of command line arguments... 1966080 checking whether the shell understands some XSI constructs... yes checking whether the shell understands "+="... yes checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop checking for /usr/bin/ld option to reload object files... -r checking for objdump... objdump checking how to recognize dependent libraries... pass_all checking for dlltool... dlltool checking how to associate runtime and link libraries... printf %s\n checking for ar... ar checking for archiver @FILE support... @ checking for strip... strip checking for ranlib... ranlib checking command to parse /usr/bin/nm -B output from gcc object... ok checking for sysroot... no checking for mt... no checking if : is a manifest tool... no checking for dlfcn.h... yes checking for objdir... .libs checking if gcc supports -fno-rtti -fno-exceptions... no checking for gcc option to produce PIC... -fPIC -DPIC checking if gcc PIC flag -fPIC -DPIC works... yes checking if gcc static flag -static works... no checking if gcc supports -c -o file.o... yes checking if gcc supports -c -o file.o... (cached) yes checking whether the gcc linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes checking whether -lc should be explicitly linked in... no checking dynamic linker characteristics... GNU/Linux ld.so checking how to hardcode library paths into programs... immediate checking for shl_load... no checking for shl_load in -ldld... no checking for dlopen... no checking for dlopen in -ldl... yes checking whether a program can dlopen itself... yes checking whether a statically linked program can dlopen itself... yes checking whether stripping libraries is possible... yes checking if libtool supports shared libraries... yes checking whether to build shared libraries... yes checking whether to build static libraries... no checking minix/config.h usability... no checking minix/config.h presence... no checking for minix/config.h... no checking whether it is safe to define EXTENSIONS... yes checking if fds can send through unix sockets... yes checking for ANSI C header files... (cached) yes checking arpa/inet.h usability... yes checking arpa/inet.h presence... yes checking for arpa/inet.h... yes checking fcntl.h usability... yes checking fcntl.h presence... yes checking for fcntl.h... yes checking ctype.h usability... yes checking ctype.h presence... yes checking for ctype.h... yes checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking for stdlib.h... (cached) yes checking for string.h... (cached) yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking sys/time.h usability... yes checking sys/time.h presence... yes checking for sys/time.h... yes checking for unistd.h... (cached) yes checking regex.h usability... yes checking regex.h presence... yes checking for regex.h... yes checking signal.h usability... yes checking signal.h presence... yes checking for signal.h... yes checking for pid_t... yes checking for size_t... yes checking vfork.h usability... no checking vfork.h presence... no checking for vfork.h... no checking for fork... yes checking for vfork... yes checking for working fork... yes checking for working vfork... (cached) yes checking whether lstat correctly handles trailing slash... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible malloc... yes checking for stdlib.h... (cached) yes checking for GNU libc compatible realloc... yes checking for dup2... yes checking for gettimeofday... yes checking for memchr... yes checking for memset... yes checking for regcomp... yes checking for regexec... yes checking for regfree... yes checking for socket... yes checking for strdup... yes checking for strerror... yes checking for strspn... yes checking for strstr... yes configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating etc/Makefile config.status: creating autoconf.h config.status: autoconf.h is unchanged config.status: executing depfiles commands config.status: executing libtool commands

squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c]# make make all-recursive make[1]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' Making all in . make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' Making all in src make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' /bin/sh ../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../../include/ -g -O2 -Wall -fvisibility=hidden -DCI_BUILD_MODULE -D_REENTRANT -g -O2 -Wall -D_FILE_OFFSET_BITS=64 -I/usr/local/c-icap/include -I/usr/local/c-icap/include/c_icap -MT squidclamav_la-squidclamav.lo -MD -MP -MF .deps/squidclamav_la-squidclamav.Tpo -c -o squidclamav_la-squidclamav.lo test -f 'squidclamav.c' || echo './'squidclamav.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I.. -I.. -I../../include/ -g -O2 -Wall -fvisibility=hidden -DCI_BUILD_MODULE -D_REENTRANT -g -O2 -Wall -D_FILE_OFFSET_BITS=64 -I/usr/local/c-icap/include -I/usr/local/c-icap/include/c_icap -MT squidclamav_la-squidclamav.lo -MD -MP -MF .deps/squidclamav_la-squidclamav.Tpo -c squidclamav.c -fPIC -DPIC -o .libs/squidclamav_la-squidclamav.o mv -f .deps/squidclamav_la-squidclamav.Tpo .deps/squidclamav_la-squidclamav.Plo /bin/sh ../libtool --tag=CC --mode=link gcc -I../../include/ -g -O2 -Wall -fvisibility=hidden -DCI_BUILD_MODULE -D_REENTRANT -g -O2 -Wall -D_FILE_OFFSET_BITS=64 -I/usr/local/c-icap/include -I/usr/local/c-icap/include/c_icap -module -avoid-version -o squidclamav.la-rpath /usr/local/c-icap/lib/c_icap/ squidclamav_la-squidclamav.lo libtool: link: gcc -shared -fPIC -DPIC .libs/squidclamav_la-squidclamav.o -O2 -O2 -Wl,-soname -Wl,squidclamav.so -o .libs/squidclamav.so libtool: link: ( cd ".libs" && rm -f "squidclamav.la" && ln -s "../ squidclamav.la" "squidclamav.la" ) make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' Making all in etc make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc' make[2]: Nothing to be done for all'. make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc' make[1]: Leaving directory `/var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c'

squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c]# make install Making install in . make[1]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' make[2]: Nothing to be done for install-exec-am'. test -z "/usr/local/share/squidclamav" || /bin/mkdir -p "/usr/local/share/squidclamav" /usr/bin/install -c -m 644 doc/README '/usr/local/share/squidclamav' /bin/sh /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/install-sh -d /usr/local/share/squidclamav /bin/sh /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/install-sh -d /usr/local/libexec/squidclamav cp cgi-bin/* /usr/local/libexec/squidclamav test -z "/usr/local/share/man/man1" || /bin/mkdir -p "/usr/local/share/man/man1" /usr/bin/install -c -m 644 doc/squidclamav.1 '/usr/local/share/man/man1' make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' make[1]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c' Making install in src make[1]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' make[2]: Nothing to be done forinstall-exec-am'. test -z "/usr/local/c-icap/lib/c_icap/" || /bin/mkdir -p "/usr/local/c-icap/lib/c_icap/" /bin/sh ../libtool --mode=install /usr/bin/install -c squidclamav.la'/usr/local/c-icap/lib/c_icap/' libtool: install: /usr/bin/install -c .libs/squidclamav.so /usr/local/c-icap/lib/c_icap/squidclamav.so libtool: install: /usr/bin/install -c .libs/squidclamav.lai /usr/local/c-icap/lib/c_icap/squidclamav.la libtool: install: warning: remember to run libtool --finish /usr/local/c-icap/lib/c_icap/' make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' make[1]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/src' Making install in etc make[1]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc' make[2]: Entering directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc' make[2]: Nothing to be done forinstall-exec-am'. /bin/sh /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/install-sh -d /etc for f in squidclamav.conf; do \ /usr/bin/install -c $f /usr/local/c-icap/etc//$f.default; \ if test ! -f /usr/local/c-icap/etc//$f; then /usr/bin/install -c $f /usr/local/c-icap/etc//$f; fi \ done /bin/sh /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/install-sh -d /usr/local/c-icap/share/c_icap//templates/squidclamav/en/ for f in templates/en/MALWARE_FOUND; do /usr/bin/install -c $f /usr/local/c-icap/share/c_icap//templates/squidclamav/en/; done make[2]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc' make[1]: Leaving directory /var/tmp/squidclamav-1f0d35103b4f389a08313dc675344fb41eb5b70c/etc'

service c-icap restart

ftp> put eicar_niveau7.zip

server.log Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(1314) extract_http_info: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG method GET Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(1325) extract_http_info: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG url http://10.74.13.45/974421978 Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(381) squidclamav_check_preview_handler: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG URL requested: http://10.74.13.45/974421978 Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(421) squidclamav_check_preview_handler: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG Content-Length: 0 Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(445) squidclamav_check_preview_handler: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG can not begin to scan url: No preview data. Tue Feb 18 10:55:06 2014, 29910/3825743616, squidclamav.c(296) squidclamav_release_request_data: Tue Feb 18 10:55:06 2014, 29910/3825743616, DEBUG Releasing request data.

What am I doing wrong? Downloading the wrong version?

Thank you!

On Sat, Feb 15, 2014 at 4:52 AM, Darold notifications@github.com wrote:

Hi Ken,

Sorry but it seems that you have not perform a 'make install', message "DEBUG can not begin to scan url: No preview data." is still the same as before. In last commit 3d18ad1I have remove this message and it is now replaced at line 475 of squiclamav.c by the simple warning "WARNING can not begin to scan url: No preview data.". Or perhaps you have not restarted c-icap server.

Following your Move It DMZ configuration, you must take care to set a grater value to maxsize, like 20000000, in squidclamav.conf and same 20MB to StreamMaxLength in clamd.conf. If I understand well the configuration of Move It DMZ it will not send file larger than 15000000.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35151877 .

[darold]

Ok, sorry I miss that in your previous post. Here is the wget command to grab the latest code:

wget https://github.com/darold/squidclamav/archive/master.zip

then unzip will create a directory called squidanalyzer-master/

With your previous URL you was always downloading the same code, again and again :-)

Regards,

[kenhen93]

Thanks for being patient with me on this.

I got some different results now since I have the right code :-)

ftp> put eicar_niveau8.zip

==> /usr/local/var/log/server.log Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(1323) extract_http_info: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG method GET Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(1334) extract_http_info: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG url http://10.74.13.45/974565271 Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(389) squidclamav_check_preview_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG URL requested: http://10.74.13.45/974565271 Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(429) squidclamav_check_preview_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Content-Length: 0 Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(483) squidclamav_check_preview_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, WARNING can not begin to scan url: No preview data. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(499) squidclamav_check_preview_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG End of method squidclamav_check_preview_handler Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(597) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG ending request data handler. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(1616) dconnect: Tue Feb 18 13:07:51 2014, 7662/2748090112, entering. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(620) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Sending zINSTREAM command to clamd. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(628) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Ok connected to clamd. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(632) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG: Scanning data now Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(649) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Write 2038 bytes on 2034 to socket Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(665) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG received from Clamd: stream: OK Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(681) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Closing Clamd connection. Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(691) squidclamav_end_of_data_handler: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Responding with allow 204 Tue Feb 18 13:07:51 2014, 7662/2748090112, squidclamav.c(304) squidclamav_release_request_data: Tue Feb 18 13:07:51 2014, 7662/2748090112, DEBUG Releasing request data.

==> /usr/local/var/log/access.log <== 18/Feb/2014:13:07:51 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204

I can't seem to find why clamd is not blocking the file. I am trying to investigate further

On Tue, Feb 18, 2014 at 11:57 AM, Darold notifications@github.com wrote:

Ok, sorry I miss that in your previous post. Here is the wget command to grab the latest code:

wget https://github.com/darold/squidclamav/archive/master.zip

then unzip will create a directory called squidanalyzer-master/

With your previous URL you was always downloading the same code, again and again :-)

Regards,

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35406032 .

[darold]

You must have ScanArchive set to true in your clamd.conf, that could be one reason

[darold]

Any news about that ?

[kenhen93]

Sorry, I am on vacation. Will check next week. On Feb 22, 2014 7:52 AM, "Darold" notifications@github.com wrote:

Any news about that ?

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35800842 .

[kenhen93]

Hi,

So I am still not sure what is going on with clamd.

Clam is set to scan archives

I can physically scan the same file I upload via ftp and I get

clamdscan -v eicar_niveau9.zip

/var/tmp/eicar_niveau9.zip: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.006 sec (0 m 0 s)

but via the icap logs, squidclamav is letting these files go through

Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(283) squidclamav_init_request_data: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG initializing request data handler. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(337) squidclamav_check_preview_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG processing preview header. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(1323) extract_http_info: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG method GET Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(1334) extract_http_info: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG url http:///976116483 Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(389) squidclamav_check_preview_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG URL requested: http://10.74.13.45/976116483 Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(429) squidclamav_check_preview_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Content-Length: 0 Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(483) squidclamav_check_preview_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, WARNING can not begin to scan url: No preview data. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(499) squidclamav_check_preview_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG End of method squidclamav_check_preview_handler Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(597) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG ending request data handler. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(1616) dconnect: Mon Feb 24 09:36:09 2014, 7662/2716620544, entering. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(620) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Sending zINSTREAM command to clamd. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(628) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Ok connected to clamd. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(632) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG: Scanning data now Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(649) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Write 2936 bytes on 2932 to socket Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(665) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG received from Clamd: stream: OK Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(681) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Closing Clamd connection. Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(691) squidclamav_end_of_data_handler: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Responding with allow 204 Mon Feb 24 09:36:09 2014, 7662/2716620544, squidclamav.c(304) squidclamav_release_request_data: Mon Feb 24 09:36:09 2014, 7662/2716620544, DEBUG Releasing request data.

==> /usr/local/var/log/access.log <== 24/Feb/2014:09:36:09 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204

When I manually scan, it logs the info at /var/log/clamav/clamd.log but does not show anything when I send via ftp through squidclamdav

Any idea what is going on?

On Sat, Feb 22, 2014 at 7:23 AM, Ken Henry kenhen93@gmail.com wrote:

Sorry, I am on vacation. Will check next week. On Feb 22, 2014 7:52 AM, "Darold" notifications@github.com wrote:

Any news about that ?

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35800842 .

[darold]

What's happen if you use the icap client ? For example:

c-icap-client -i 127.0.0.1 -p 1344 -f eicar_niveau9.zip -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v

[kenhen93]

It finds the virus

==> /usr/local/var/log/server.log <== Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(665) squidclamav_end_of_data_handler: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(1409) generate_response_page: Mon Feb 24 11:06:11 2014, 7662/2695640832, Virus redirection: http://localhost/cgi-bin/clwarn.cgi?url=http://10.74.13.45/976118688&source=-&user=-&virus=stream: Eicar-Test-Signature FOUND. Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(1523) generate_redirect_page: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG creating redirection page Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(1528) generate_redirect_page: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG Location: http://localhost/cgi-bin/clwarn.cgi?url=http://10.74.13.45/976118688&source=-&user=-&virus=stream: Eicar-Test-Signature FOUND Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(1550) generate_redirect_page: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG done Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(672) squidclamav_end_of_data_handler: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG Virus found, ending download. Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(681) squidclamav_end_of_data_handler: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG Closing Clamd connection. Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(686) squidclamav_end_of_data_handler: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG Virus found, sending redirection header / error page. Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(546) squidclamav_write_to_net: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG ending here, virus was found Mon Feb 24 11:06:11 2014, 7662/2695640832, squidclamav.c(304) squidclamav_release_request_data: Mon Feb 24 11:06:11 2014, 7662/2695640832, DEBUG Releasing request data.

tail /var/log/clamav/clamd.log Mon Feb 24 10:46:47 2014 -> SelfCheck: Database status OK. Mon Feb 24 10:56:47 2014 -> SelfCheck: Database status OK. Mon Feb 24 11:06:11 2014 -> instream(local): Eicar-Test-Signature FOUND

On Mon, Feb 24, 2014 at 10:34 AM, Darold notifications@github.com wrote:

What's happen if you use the icap client ? For example:

c-icap-client -i 127.0.0.1 -p 1344 -f eicar_niveau9.zip -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35897945 .

[darold]

Ok, I don't think the issue comes from your clamd configuration but it seem that there's some extra characters sent by your ftp server. Please download latest code from github and install it. Then proceed with file eicar_niveau8.zip with your Move It DMZ server. I have added on more debug printing to see what's your FTP server is really sending.

With the c-icap-client we have something like that:

squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 2011 bytes on 2007 to socket
squidclamav.c(650) squidclamav_end_of_data_handler: DEBUG sent: PK...

there is non printing character after PK which is the compressed data.

Once you have proceed, please send the c-icap server.log file to my personal email address < gilles AT darold DOT net > as an attachment so that I will be able to see the extra characters if any.

[kenhen93]

Thank you. What is the best way to download the latest build? The latest version on sourceforge says it was modified last October

On Mon, Feb 24, 2014 at 12:38 PM, Darold notifications@github.com wrote:

Ok, I don't think the issue comes from your clamd configuration but it seem that there's some extra characters sent by your ftp server. Please download latest code from github and install it. Then proceed with file eicar_niveau8.zip with your Move It DMZ server. I have added on more debug printing to see what's your FTP server is really sending.

With the c-icap-client we have something like that:

squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 2011 bytes on 2007 to socket squidclamav.c(650) squidclamav_end_of_data_handler: DEBUG sent: PK...

there is non printing character after PK which is the compressed data.

Once you have proceed, please send the c-icap server.log file to my personal email address < gilles AT darold DOT net > as an attachment so that I will be able to see the extra characters if any.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-35912690 .

[darold]

Like in previous post:

wget https://github.com/darold/squidclamav/archive/master.zip

then unzip will create a directory called squidanalyzer-master/

Change in that directory and type:

./configure
make && make install

Regards,

[darold]

Great thanks to Ipswitch Company that give me an evaluation license to their product, MoveIt DMZ. I was able to test the last squidclamav code with a running FTP server and everything works as expected. You can now use c-icap with squidclamav as anti-virus scanners to freely protect files that are uploaded to a MoveIt DMZ server.

Here are some screen shots of the MoveIt DMZ configuration:

and the upload of the file:

SquidClamav detect the virus and sent the information back to user:

This support will be included in coming v6.11 release.

[darold]

Here is the complete debug log of c-icap/squidclamav during this upload:

squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/979990152 squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/979990152 squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1652) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 275 bytes on 271 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(673) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(687) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data. squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/eicar.com squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/eicar.com squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1640) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 37 bytes on 33 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: OK squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(692) squidclamav_end_of_data_handler: DEBUG Responding with allow 204 squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data.

[kenhen93]

Awesome! Thank you so much!

On Tue, Mar 11, 2014 at 3:52 PM, Darold notifications@github.com wrote:

Here is the complete debug log of c-icap/squidclamav during this upload:

squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/979990152 squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/979990152 squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1652) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310 ) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 275 bytes on 271 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(673) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(687) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data. squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/eicar.com squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/eicar.com squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1640) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310 ) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 37 bytes on 33 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: OK squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(692) squidclamav_end_of_data_handler: DEBUG Responding with allow 204 squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-37341762 .

[kenhen93]

Hi Gilles,

I am sorry I did not get to test this myself earlier but Squidclamav is still not working correctly.

I downloaded the 6.11 version and also downloaded the master.zip to see if the versions might be different.

I installed the typical way: ./configure, make, make install, restart c-icap, restart squid (for good measure)

ftp> put eicar_niveau9.zip local: eicar_niveau9.zip remote: eicar_niveau9.zip 227 Entering Passive Mode (149,174,109,82,11,184) 150 STOR command started 226 Transfer complete. No integrity check. File ID 982417826 2256 bytes sent in 5.5e-05 secs (41018.18 Kbytes/sec) ftp> put eicar_niveau8.zip local: eicar_niveau8.zip remote: eicar_niveau8.zip 227 Entering Passive Mode (149,174,109,82,11,187) 150 STOR command started 226 Transfer complete. No integrity check. File ID 982403172 2034 bytes sent in 5.4e-05 secs (37666.67 Kbytes/sec)

tail -f /usr/local/var/log/* ==> /usr/local/var/log/access.log <== 24/Feb/2014:09:36:09 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204 24/Feb/2014:09:45:49 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204 24/Feb/2014:11:06:10 -0500, 127.0.0.1 127.0.0.1 OPTIONS squidclamav?allow204=on&force=on&sizelimit=off&mode=simple 200 24/Feb/2014:11:06:11 -0500, 127.0.0.1 127.0.0.1 RESPMOD squidclamav?allow204=on&force=on&sizelimit=off&mode=simple 200 27/Feb/2014:13:49:51 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204 28/Feb/2014:14:00:44 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 200 06/Mar/2014:14:49:08 -0500, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204 20/Mar/2014:15:26:24 -0400, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 200 20/Mar/2014:15:29:28 -0400, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204 20/Mar/2014:15:35:56 -0400, 10.74.13.45 149.174.109.82 RESPMOD squidclamav 204

==> /usr/local/var/log/server.log <== Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(591) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG ending request data handler. Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(1618) dconnect: Thu Mar 20 15:35:56 2014, 1340/42051328, entering. Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(614) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Sending zINSTREAM command to clamd. Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(622) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Ok connected to clamd. Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(626) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG: Scanning data now Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(643) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Write 2038 bytes on 2034 to socket Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(661) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG received from Clamd: stream: OK Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(677) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Closing Clamd connection. Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(687) squidclamav_end_of_data_handler: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Responding with allow 204 Thu Mar 20 15:35:56 2014, 1340/42051328, squidclamav.c(304) squidclamav_release_request_data: Thu Mar 20 15:35:56 2014, 1340/42051328, DEBUG Releasing request data.

did i download the wrong version or do something wrong in my install? Thanks! Ken

On Tue, Mar 11, 2014 at 3:52 PM, Darold notifications@github.com wrote:

Here is the complete debug log of c-icap/squidclamav during this upload:

squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/979990152 squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/979990152 squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1652) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310 ) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 275 bytes on 271 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(673) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(687) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data. squidclamav.c(283) squidclamav_init_request_data: DEBUG initializing request data handler. squidclamav.c(337) squidclamav_check_preview_handler: DEBUG processing preview header. squidclamav.c(1324) extract_http_info: DEBUG method GET squidclamav.c(1335) extract_http_info: DEBUG url http://192.168.1.100/eicar.com squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL requested: http://192.168.1.100/eicar.com squidclamav.c(429) squidclamav_check_preview_handler: DEBUG Content-Length: 0 squidclamav.c(483) squidclamav_check_preview_handler: WARNING can not begin to scan url: No preview data. squidclamav.c(499) squidclamav_check_preview_handler: DEBUG End of method squidclamav_check_preview_handler squidclamav.c(597) squidclamav_end_of_data_handler: DEBUG ending request data handler. squidclamav.c(1621) dconnect: entering. squidclamav.c(1640) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310 ) squidclamav.c(620) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(628) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(632) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(649) squidclamav_end_of_data_handler: DEBUG Write 37 bytes on 33 to socket squidclamav.c(666) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: OK squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(692) squidclamav_end_of_data_handler: DEBUG Responding with allow 204 squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data.

Reply to this email directly or view it on GitHubhttps://github.com/darold/squidclamav/issues/17#issuecomment-37341762 .

[darold]

Everything is working fine if you use binary mode. As I explain to you before the MoveIt DMZ server, like other FTP servers under Windows is in ascii mode by default (I don't know why) so they modify each \n into \r\n which of course breaks binary files. Here an example:

230 User darold logged in. Remote system type is Windows_NT. ftp> put eicar_niveau1.zip local: eicar_niveau1.zip remote: eicar_niveau1.zip 200 PORT command successful 150 STOR command started 226 Transfer complete. No integrity check. File ID 982255435 480 bytes sent in 0.00 secs (15121.0 kB/s) ftp>

and the squidclamav log:

squidclamav.c(1637) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(614) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(622) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(626) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(643) squidclamav_end_of_data_handler: DEBUG Write 484 bytes on 480 to socket squidclamav.c(661) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: OK squidclamav.c(677) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(687) squidclamav_end_of_data_handler: DEBUG Responding with allow 204 squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data.

Now if I use the binary mode:

Remote system type is Windows_NT. ftp> bin 200 TYPE command successful ftp> put eicar_niveau1.zip local: eicar_niveau1.zip remote: eicar_niveau1.zip 200 PORT command successful 150 STOR command started 550 STOR failed: Virus detected: Eicar-Test-Signature 474 bytes sent in 0.00 secs (22042.4 kB/s) ftp>

and the squidclamav log:

squidclamav.c(1637) dconnect: DEBUG Connected to Clamd (192.168.1.100:3310) squidclamav.c(614) squidclamav_end_of_data_handler: DEBUG Sending zINSTREAM command to clamd. squidclamav.c(622) squidclamav_end_of_data_handler: DEBUG Ok connected to clamd. squidclamav.c(626) squidclamav_end_of_data_handler: DEBUG: Scanning data now squidclamav.c(643) squidclamav_end_of_data_handler: DEBUG Write 478 bytes on 474 to socket squidclamav.c(661) squidclamav_end_of_data_handler: DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND squidclamav.c(668) squidclamav_end_of_data_handler: DEBUG Virus found, ending download. squidclamav.c(677) squidclamav_end_of_data_handler: DEBUG Closing Clamd connection. squidclamav.c(682) squidclamav_end_of_data_handler: DEBUG Virus found, sending redirection header / error page. squidclamav.c(304) squidclamav_release_request_data: DEBUG Releasing request data.

[darold]

It may be possible to force the MoveIt DMZ FTP server into binary mode by default but I can't find the way to do that on my evaluation version. You can take a look at https://moveitsupport.ipswitch.com/support/micentral/help/MICConfiguringTasksHostsHostsTab.htm and search for the following sentence:

"Default Transfer Type (FTP Server only) - FTP transfers can be performed in ASCII or BINARY mode. This option allows operators to configure the default setting for any FTP host. (This setting will be OVERRIDDEN if specified in any source/destination related to this host.)"

I don't know if you have this tool but you may ask to the MoveIt DMZ how to turn transfers on the FTP server in binary mode by default.

Let me know

[marcogaio]

I make some note on this issue.

I was a long user of c-icap 0.1.X and squidclamav 6.4 on debian squeeze, so on squid 3.1, without a trouble.

I've upgraded two of my servers, getting squid 3.2, and i've recompiled latest c-icap (0.3.3) and latest squidclamav from sourceforge (6.11).

All seems to work as expected, but i get tons of: Mar 24 16:20:09 lupus c-icap: : 3791/2884753152, squidclamav.c(483) squidclamav_check_preview_handler:
Mar 24 16:20:09 lupus c-icap: : 3791/2884753152, WARNING can not begin to scan url: No preview data.#012

I've read this thread, but seems that this issue was depicted only on a particular FTP server, while i get on ''plain'' squid. Also, i've found on c-icap list: http://sourceforge.net/p/c-icap/mailman/c-icap-users/thread/50864820.8000104@users.sourceforge.net/

and i've not understood if this is related or not, eg there's really some sites that send only headers..

My squid configuration is rather standard: icap_enable on icap_send_client_ip on icap_send_client_username on icap_preview_enable on icap_preview_size 5 MB icap_service service_av_req reqmod_precache bypass=1 icap://localhost:1344/squidclamav icap_service service_av_resp respmod_precache bypass=1 icap://localhost:1344/squidclamav adaptation_service_set class_av_req service_av_req adaptation_service_set class_av_resp service_av_resp adaptation_access class_av_req deny CONNECT adaptation_access class_av_req allow all adaptation_access class_av_resp deny CONNECT adaptation_access class_av_resp allow all

and my squidclamav too: maxsize 5000000 redirect http://proxy.internal.local/squidclamav.php clamdlocal /var/run/clamav/clamd.ctl timeout 1 logredir 1 dnslookup 1 safebrowsing 0 abortcontent ^video\/x-flv$ abortcontent ^video\/mp4$ abort ^..swf$ abortcontent ^application\/x-shockwave-flash$ abortcontent ^.application\/x-mms-framed.$ whitelist ._.clamav.net whitelist .download.windowsupdate.com whitelist ..geo.kaspersky.com whitelist ..kaspersky-labs.com whitelist ^http://www.google.(com|it)/search=\?.$

Thanks.

[darold]

Hi,

Thanks for the report, first of all you must not set a preview size to 5MB, this is too much. Use

icap_preview_size 1024

I've change the log level of this message, it is just that squid is not sending the preview for some urls. I don't know why, perhaps because of your high value to preview size. This is just a supposition, could you confirm by using the above value ?

I have change the log level of this message to DEBUG 1, you can use latest code from github.

[marcogaio]

Ok, i've changed the icap_preview_size to 1024, but message does not desappear, but at least seems to get less:

root@lupus:~# grep squidclamav_check_preview /var/log/syslog | wc -l
128
root@lupus:~# grep squidclamav_check_preview /var/log/syslog.1 | wc -l
360

For now it suffices to say that this is not and error, but an annoyance, i've just silenced it in logcheck; i will wait next version!!! ;-)

Just i'm here: there's some rule of thumb for icap_preview_size and maxsize? eg maxsize > icap_preview_size or something like this?

Thanks.

[darold]

Ok, it seems that squid 3.2+ doesn't accept the icap_preview_size any more. It should be set in the c-icap.conf file instead. Could you try adding the following to your c-icap.conf file:

Service squidclamav squidclamav.so
squidclamav.PreviewSize 1024

This will instruct squid icap client to send a preview. If that fix the issue for you, I will update the documentation. Let me know.

To answer to your question, preview size should be small, 1024 is enough, and it has nothing to do with maxsize. Here is explain the icap preview: https://tools.ietf.org/html/rfc3507#section-4.5

Setting maxsize to 5000000 will instruct squidclamav to interrupt the virus scan after 5MB independently of the preview size.

[darold]

Does the squidclamav.PreviewSize addition solves your issue ?

[marcogaio]

Sorry, i was overbusy.

I've still not tried, simply because i'm on debian wheezy, so squid 3.1, not 3.2.

I have to try it even on squid 3.1? Thanks.

[darold]

Yes, please try it.

[marcogaio]

root@lupus:~# /etc/init.d/c-icap start
/etc/init.d/c-icap: 65: export: config_squidclamav.PreviewSize: bad variable name

and does not start.

[darold]

What is the version of c-icap ? I have tested with version 0.1.6 and 0.3.2, and here what's the log says:

Warning, alias is the same as service_name, not adding Going to search variable PreviewSize in table squidclamav Setting parameter :PreviewSize=1024

I do not have this kind of error and can't find this message in c-icap sources. Do you have any other check in your /etc/init.d/c-icap script ?

[darold]

I don't know what's wrong on your installation, here some further tests.

If I define the PreviewSize before the squidclamav service definition in c-icap.conf file, I obtain this error:

Variable PreviewSize or table squidclamav not found! Fatal error while parsing config file: "/etc/c-icap/c-icap.conf" line: 640 The line is: squidclamav.PreviewSize 1024

When I use an unknown variable name (WrongPreviewSize), I obtain this error:

Fatal error while parsing config file: "/etc/c-icap/c-icap.conf" line: 641 The line is: squidclamav.WrongPreviewSize 1024

Could you post the result of the following command:

grep "^[A-Za-z]" /etc/c-icap/c-icap.conf

Regards,

[marcogaio]

I'm using version 0.3.3, recompiled from debian testing in debian stable (only plain recompilation, no further patching necessary). My config:

root@lupus:~# grep "^[A-Za-z]" /etc/c-icap/c-icap.conf
PidFile /var/run/c-icap/c-icap.pid
CommandsSocket /var/run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600  
StartServers 6
MaxServers 20
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344 
User c-icap
Group c-icap
ServerAdmin not@real
ServerName proxy.corsi.sv.lnf.it
TmpDir /tmp
MaxMemObject 131072
DebugLevel 0
ModulesDir /usr/lib/x86_64-linux-gnu/c_icap
ServicesDir /usr/lib/x86_64-linux-gnu/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
icap_access allow localhost
icap_access deny all
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
Module logger sys_logger.so
Logger sys_logger
Service squidclamav squidclamav.so

wait a moment... OPS! Sorry! The culprit came from the debian init script (/etc/init.d/c-icap) that for some reason ''greps'' inside the config file and export some variables... and bash does not support variables with a dot.

Ok, script modifies and c-icap restarted, sorry...

[marcogaio]

Anyway...

Mar 31 15:06:20 lupus c-icap: : 32393/2201863936, squidclamav.c(483) squidclamav_check_preview_handler:  
Mar 31 15:06:20 lupus c-icap: : 32393/2201863936, WARNING can not begin to scan url: No preview data.#012 

still does not cure the warning...

[marcogaio]

I've just recompiled (in debian wheezy) c-icap 0.3.4 and squidclamav 6.11 from trunk, but still i've on syslog:

Sep 30 17:06:53 lupus c-icap: : 4923/754222848, squidclamav.c(477) squidclamav_check_preview_handler:  
Sep 30 17:06:53 lupus c-icap: : 4923/754222848, WARNING can not begin to scan url: No preview data.#012 

Could be that this warning is printed on redirects?

[darold]

Hi,

This warning can be printed for two reasons:

1) you don't have enabled preview on squid.conf or squid3.conf:

icap_preview_enable on
icap_preview_size 1024

2) the file is already in squid cache

Regards,