ClamAV EICAR Test Files Easily Downloaded

So I just installed clamav and squidclamav with no issues and followed the instructions on the IPFire Wiki CLAMAV Addon page for configuration. Everything seems to be fine, however, I’m able to download the HTTP EICAR test files without receiving any kind of message or warning. Any ideas why this might be occurring? Thank you.

Did you assume to get a warning message with email or any popup in your browser?

If so, no chance, there won’t be any sort of notification this way. However, I guess the logs will show you the blocked content, did not check though.

I’m still new to IPFire so I’m not sure which logs to look at and where they are at.

There was no blocked content as I was able to download the files to my desktop, open them and read their contents easily.

I just experienced the same issue. No warnings, no IPFire errors or log messages. EICAR files are easy to download from https://www.eicar.org/?page_id=3950.

It is normal that https are not scanned because the connection is encrypted. Use http for this test!

1 Like

I was using http (and not https)

Should I add something to bugzilla?

have configured use the proxy in the browser or enabled transparent mode ?

is squidclamav enabled and running ?

Does your browser use https automaticly if the site before was loaded via https ?

transparent mode enabled

squidclamav not installed

browser: if I load http it stays http. If I load https it stays https. No automatic changes.

Is the proxy (non-transparent) needed for clamav?

And squidclamav installed?

squidclamav is needed for the proxy to use clamav for scanning the traffic.
The proxy must used (both modes are possible transparent or non-transparent) but the browser must use the proxy.

As it relates to squidclamav & clamav, what does that above mean?

If you not use the proxy squidclamav is simply not used at all because it is a proxy extension.

Ugh! I got lost along the way…

Can ClamAV be used in the transparent mode? If so, how?

EDIT: I’m reading about squidclamav now, but I have no understanding on what it does or why it is needed.

ClamAV is a deamon that provide scan services for a commandline scanner for local Files. It can not scan network traffic.
You need additional squidclamav to redirect a download and scan it before it was sent back to the proxy.

So to use ClamAV to scan downloads via transparent proxy you need to run the deamon and have installed and enabled squidclamav as redirector in the proxy.

https://wiki.ipfire.org/addons/clamav

I’ve been reading and re-reading the ClamAV wiki. And making small changes to the ClamAV wiki yesterday and today. Part of the reason I asked the above questions was to update the wiki as I installed the ClamAV addon.

I added this paragraph earlier today but after adding it I wasn’t quite sure it was correct:


Requirements

The Web Proxy is used in the non-transparent/conventional mode. Transparent on Green (or Blue) must be disabled. Please configure and setup before continuing.