Author Topic: [SOLVED] EICAR virus test not working  (Read 5351 times)

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #15 on: April 18, 2013, 09:06:05 am »
Just to double check with you guys, the proxy IP and port which need to be configured in the browser are the HTTP proxy IP (mine 192.168.1.1) and 3128 right? Thanks

christian

  • Guest
Re: EICAR virus test not working
« Reply #16 on: April 18, 2013, 09:19:09 am »
Do not take it the wrong way neither as a personal attack but I'm fade up with all this boring stuff about VM side effect when it comes to test something or investigate potential issue.

Except if you do understand the very detail and master it, I would suggest you do not start with VM but rather bare installation.
Once everything works as expected, if it appears that VM fits your needs, let's go VM but do not involve it in the picture if you don't understand whether it could have or not side effect on what you are testing.

Back to your problem:
I've installed http proxy and anti-virus on my sandbox server.
 >:( >:( Grrrr ! proxy will not start if "users & groups" is not installed  >:( >:(  f*%#!?  I don't want to authenticate  :-X :-X
Anyway, I installed it and started HTTP proxy and made some tests.
Indeed, I can get eicar test file without any warning :o

Investigating further, I discover that dansguardian is not running. I don't know why yet.
Looking at /stubs/squid, dansguardian conf will definitely trigger clam to check for virus but I don't have any dansguardian process running and restarting proxy doesn't restart dansguardian.
On the other hand, there is this undocumented "external-proxy" stuff.
Anyone having perform some reverse engineering to understand what's behind such design ? I never got an answer from Zentyal staff  ::)

I'm looking at this right now.

christian

  • Guest
Re: EICAR virus test not working
« Reply #17 on: April 18, 2013, 09:29:34 am »
looking at /var/log/zentyal/software.log, I notice funny message:
Code: [Select]
software.log:2013-04-17 10:03:02>   adzapper auth-client-config clamav clamav-base clamav-freshclam dansguardian
software.log:2013-04-17 10:03:02>   adzapper auth-client-config clamav clamav-base clamav-freshclam dansguardian
software.log:2013-04-17 10:03:10> Get:34 http://us.archive.ubuntu.com/ubuntu/ precise/universe dansguardian i386 2.10.1.1-4 [486 kB]
software.log:2013-04-17 10:03:50> Selecting previously unselected package dansguardian.
software.log:2013-04-17 10:03:50> Unpacking dansguardian (from .../dansguardian_2.10.1.1-4_i386.deb) ...
software.log:2013-04-17 10:03:50> dpkg: warning: version 'dansguardian_2.8.0.6-antivirus-6.4.4.1-4' has bad syntax: version number does not start with digit
software.log:2013-04-17 10:04:39> Setting up dansguardian (2.10.1.1-4) ...
software.log:2013-04-17 10:04:55> Warning: The home dir /var/log/dansguardian you specified already exists.
software.log:2013-04-17 10:04:55> Adding system user `dansguardian' (UID 116) ...
software.log:2013-04-17 10:04:55> Adding new group `dansguardian' (GID 125) ...
software.log:2013-04-17 10:04:55> Adding new user `dansguardian' (UID 116) with group `dansguardian' ...
software.log:2013-04-17 10:04:56> adduser: Warning: The home directory `/var/log/dansguardian' does not belong to the user you are currently creating.
software.log:2013-04-17 10:04:56> The home directory `/var/log/dansguardian' already exists.  Not copying from `/etc/skel'.
software.log:2013-04-17 10:04:56>         DansGuardian has not been configured!
software.log:2013-04-17 10:04:56>         Please edit /etc/dansguardian/dansguardian.conf manually then rerun

Still investigating  8)

christian

  • Guest
Re: EICAR virus test not working
« Reply #18 on: April 18, 2013, 09:50:26 am »
Go it  ;D
It took some time as I'm not used to configure 3.0.

Here is (most likely) where you missed something:

if in proxy access rules you do not set "apply filter profile" which further more as to point to some existing filter profile, then there is no profile applied  :D and Dansguardian (that is providing relay to antivirus check), is not involved.

Checking "enable anti-virus" check-box will only for "1" in the dansguardian conf to be sure that clam will be called... but only if you call Dans  ;D

Please test and let us know  8)

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #19 on: April 18, 2013, 10:15:07 am »
Hi Christian,

I am really really thankful for your help :D.

OK I am currently working with filters and have enabled the antivirus checkbox but still no luck. I am attaching some screenshots to further help the investigation :).

Further to that I have found a website on how to configure Dansguardian + Clamav configuration files and I am noticing some things that are not according to such configuration. I am going to quote from such website (http://www.linuxexpert.ro/Linux-Tutorials/setup-dansguardian-with-squid-and-clamav.html)

1) Open dansguardian.conf and uncomment this line: contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'


OK I have checked this and the line was already un-commented so that's settled.

2) Find  the line LocalSocket in /etc/clamd.conf and put the same socket path in contentscanners/clamdscan.conf at clamdudsfile line.
Also keep in mind that both Clamav and DansGuardian must run as the same user.
For that you should check User line in /etc/clamd.conf and daemonuser, daemongroup lines in /etc/dansguardian/contentscanners/clamav.conf


So in this case I have found the LocalSocket in the clamd.conf file and it matches the same socket path in clamdscan.conf.

Now the biggest question is regarding the user of Clamav and DansGuardian which in this case the author is saying they need to be the same user. Now in my case they are NOT. I have tried to change them but when I restart Zentyal server, the users will return back to their old format.

In the /etc/clamd.conf the user is root, while the deamonuser and daemongroup are commented and set as nobody. I have changed the user from root to clamav for both the clamd.conf, deamonuser and deamongroup. Then I would save the files, restart the server and back to square one :S
« Last Edit: April 18, 2013, 10:17:00 am by mat1_8 »

christian

  • Guest
Re: EICAR virus test not working
« Reply #20 on: April 18, 2013, 10:22:06 am »
Using Zentyal, except if you want to implement something that has not been taken in account, you are not supposed to edit/modify conf files manually.

At least if you want to modify conf files, do it in /usr/share/zentyal/stubs  8)

So you do confirm that:

- filter profile: you have defined at least one profile with antivirus check box is enabled
- access rules: decision is set to "apply filter profile" pointing to the one having antivirus enabled
- there is no other access rule  ;)

and it still doesn't work ?

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #21 on: April 18, 2013, 10:31:22 am »
Just removed the other access rule as shown in the previous screenshot and gave a restart....lets see what happens :). So in this case if I need to create other access rules, is there a solution to the problem please? Thanks

christian

  • Guest
Re: EICAR virus test not working
« Reply #22 on: April 18, 2013, 10:34:16 am »
problem is that if one access rule without filtering applies, then there is no filtering...  ::)
So you can have multiple access rules but be cautious so that it does fit your requirements, that's it

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #23 on: April 18, 2013, 10:37:54 am »
Clicking on the virus test files....they go through without any blocking :(...don't know what else to test hehhh I am tired thinking lol

christian

  • Guest
Re: EICAR virus test not working
« Reply #24 on: April 18, 2013, 10:39:53 am »
Clicking on the virus test files....they go through without any blocking

from the cache ?

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #25 on: April 18, 2013, 10:49:49 am »
Removed cache files, temp files, dns cache but still no luck. Next....try a different browser and see what happens

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #26 on: April 18, 2013, 11:00:15 am »
Still no luck with a different browser. Don't know what else I am going to test. As far as I am concerned I have configured everything correctly. Now or I missed something or don't know.....It worked for you Christian so its surely not a bug :S

christian

  • Guest
Re: EICAR virus test not working
« Reply #27 on: April 18, 2013, 11:02:46 am »
I don't know why but I'm never facing lot of bugs  :-[ perhaps because I'm not using advanced feature  ;)

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #28 on: April 18, 2013, 11:04:22 am »
Yepp could be....I will keep looking for a solution until now pray to God that something appears

mat1_8

  • Zen Monk
  • **
  • Posts: 99
  • Karma: +0/-1
    • View Profile
Re: EICAR virus test not working
« Reply #29 on: April 18, 2013, 11:43:26 am »
OK problem got solved....you know how? Well basically I have connected the virtual machine as bridged mode instead of NAT mode. Reason being is that in NAT mode, the connection was passing through my physical machine antivirus and therefore it was cleaning the virus before entering the virtual machine. Strangely enough I even disabled the antivirus before changing the connection to bridged mode and still it did not work. Hehhh fighting with this problem and it was damn simple...