# test squid + clamav

## o5gmmob8

Hi all,

Is there a good way to test that squid and clamav are working and preventing viruses from being downloaded?

I went to the wikipedia and found eicar or something and was able to download that in both text and zip file forms.  That would indicate to me that antivirus is not working.

Walter

----------

## Odward

Mine blocks the eicar test files from Here.

Although not the httpS versions since I don't have secure connections via proxy.

Did you setup the c-icap server and tell squid about it?  Was squid installed with the icap-client USE flag?

I have app-antivirus/clamav, net-proxy/squid, net-proxy/squidclamav and net-proxy/c-icap installed -

and net-proxy/squidguard <- although this isn't necessary if you just want to block viruses.

If all of that is ok, you will probably need to check your config files.

/etc/squid/squid.conf

/etc/squidclamav.conf

/etc/c-icap/c-icap.conf

You can look at /var/log/clamav/clamd.log but it only says much if it actually finds a virus.

You can also

```
tail -f /var/log/c-icap/server.log
```

then open some websites, that file should have all sorts of activity to indicate it is scanning.

If you're still at a loss, I just set all this up a few days ago for my home so just ask and I can probably

help with the config files.

----------

## o5gmmob8

Hi Odward,

Thanks for your reply.

Yes, I setup the c-icap server and squid is aware of it.  Yes, squid was built with the icap-client USE flag.

Yes, I also have squidguard and adzapper, although it appears adzapper is not being used recently.  (It appeared that both squidguard and adzapper were being used for a little while after I had setup clamav, squidguard, and c-icap, but recently, I am getting ads again).

I am using syslog for managing most of my log files and as a result, it is intertwined with other logs.  I'll poke around my logs to see if I can find anything interesting.  I will try that eicar site again.

Thanks,

Walter

----------

## o5gmmob8

Hi Odward,

After making my logs a bit more verbose, this is what I got:

```

Aug 24 00:02:59 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo

nse

Aug 24 00:02:59 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]

Aug 24 00:03:00 Dell-server c-icap: : 127.0.0.1 127.0.0.1 OPTIONS squidclamav 500

Aug 24 00:03:00 Dell-server squid[19439]: WARNING: Squid got an invalid ICAP OPTIONS response from service icap://127.0.0.1:1344/squidclamav; error: unsupported status code of OPTIONS respo

nse

Aug 24 00:03:00 Dell-server squid[19439]: optional ICAP service is down after an options fetch failure: icap://127.0.0.1:1344/squidclamav [down,!valid]

```

I tried this setup using documentation from one of the links below.  This is my relevant squid.conf (or was my squid.conf), I have updated below this one.

```

#http://wiki.squid-cache.org/Features/ICAP

#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html

#http://c-icap.sourceforge.net/install.html

#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html

icap_enable          on

icap_preview_enable  on

icap_preview_size    128

icap_send_client_ip  on

icap_service         service_avi_req reqmod_precache 0 icap://localhost:1344/srv_clamav

icap_service         service_avi respmod_precache 1 icap://localhost:1344/srv_clamav

adaptation_service_set         class_antivirus service_avi service_avi_req

adaptation_access          class_antivirus allow all

```

```

# use i-cap to enable ClamAV to scan content for viruses

#http://wiki.squid-cache.org/Features/ICAP

#http://monklinux.blogspot.com/2012/03/installing-squid-proxy-with-reporting.html

#http://c-icap.sourceforge.net/install.html

#http://squid-web-proxy-cache.1019090.n4.nabble.com/Icap-clam-Av-td1593135.html

#http://squidclamav.darold.net/installv6.html

icap_enable          on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_encode off

icap_client_username_header X-Authenticated-User

icap_preview_enable on

icap_preview_size 1024

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav

adaptation_access service_resp allow all

```

According to another post, I am using the wrong URL.  What are you using?

Walter

----------

## Odward

 *Quote:*   

> icap_enable          on
> 
> icap_send_client_ip on
> 
> icap_send_client_username on
> ...

 

That entry of yours is exactly what I'm using.

In /etc/c-icap/c-icap.conf

Do you have

```
Service squidclamav squidclamav.so
```

If you had that configured from your initial settings it might have been similar to

```
Service srv_clamav srv_clamav.so
```

and assuming we're both using the same stable versions from portage, the squidclamav.so should be the correct version.

***Edit - Just an FYI of sorts

In c-icap.conf - "Service squidclamav squidclamav.so" the squidclamav is arbitrary in that you could rename the service 

to whatever you want.  If you used a custom name, the squid.conf file would have to use the same name at the end of the icap:url 

because that's how it knows what service it is trying to contact.  The squidclamav.so is the important part because that is the shared 

object file used by the service.  I'm assuming a previous version used srv_clamav.so but that file doesn't exist on my system.

And just in case - in c-icap.conf you should have ServicesDir followed by the /path/to your squidclamav.so in my case it's 

```
ServicesDir /usr/lib64/c_icap
```

Alternately for "Service" you could use

```
Service squidclamav /usr/lib64/c_icap/squidclamav.so
```

Or the correct path if it's different on your system.

And, if this wasn't all for naught, don't forget to restart your c-icap with the new config  :D

----------

## o5gmmob8

Hi,

I forgot about c-icap.conf.  I had edited it to some point to match the URL, but it was set to clamav.  I changed it to squidclamav to match squid, restarted and I believe I am still having the same problem.

I will take a look again later, it seems squid is banning it because it is repeatedly not working (so the logs are not as verbose as I like until it tries to use it again).

Walter

----------

## o5gmmob8

Hi Odward,

I set the DebugLevel to 10 in c-icap.conf.  I now see that squidclamav is not initializing, but I don't appear to see anything else that stands out as helpful / useful.

It would be helpful if I can see there is a configuration flaw in my squidclamav.conf or if there is a library mismatch.

```

maxsize 5000000

redirect http://router/squid-clamav/virus-found.html

squidguard /usr/bin/squidGuard

clamd_local /var/run/clamav/clamd.sock

timeout 1

logredir 1

dnslookup 1

trustcache 0

```

I am rebuilding a bunch of libraries with the hope that maybe a library was out of sync after an update.

Walter

----------

## Odward

I have 'dnslookup 0' because the config file says if that is enabled (1) you must use "trustclient with hostname in the regexp"

and you must have a DNS server on your network.

I don't have a real DNS server, and you don't appear to be using trustclient unless you omitted that from your config post.

Also the trustcache, which might need to be trust_cache, according to http://squidclamav.darold.net/config.html is "obsolete/unused" in version 6.x

This last part may not concern you, but just in case.

The last thing I can think of offhand, from my limited experience, would be to ask if you changed the default User / Group of c-icap yet?

I had mine working first, but afterwards I ceased having it run as root and I believe I had to be sure clamd and c-icap were both a member

of the same group so c-icap could use the clamd socket (by default my clamd.sock was only available to owner/group).  I also think I had to 

add that group to the database used by squidGuard so it could read the blacklisted / whitelisted sites, since it is apparently called by the

c-icap server via squidclamav.conf and ignores the url_rewrite directives in squid.conf entirely.  If I comment "squidguard ..." in squidclamav.conf

I still get AV scans but I lose ad filtering, even with url_rewrite rules in place and working in squid.conf before I even installed squidclamav.  So 

for me, so far, that "squidguard /usr/bin/squidGuard" is required to retain ad filtering (even though the squidclamav.conf says the url_rewrites

in squid.conf are the preferred method!).

----------

## o5gmmob8

Hi Odward,

Thanks for your reply.  I commented trustcache 0 as when squidclamav was strarting it would complain about that but still start.  I don't see any errors yet, but I also can download that eicar file (perhaps because it is in my cache).

I'll let this run for a while to see if squid is using squidclamav or if it is still blocking it.

Thanks,

Walter

----------

## o5gmmob8

Hi Odward,

Thanks for your help.  I decided to take a look at it this evening and found that apparently having the line:

```

squidguard /usr/bin/squidGuard

```

was causing squidGuard to never initialize.  I commented it out and it now works.  I believe I am using adzapper and squidGuard along with squidClamav for anti-virus checking now.  I think before, it was trying to do squidGuard twice.

Anyways, it looks like it is working.  Maybe this will help someone else.

The only downside now is, my Internet appears to be a little sluggish now.

Walter

----------

