Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: mat1_8 on April 16, 2013, 04:29:13 pm
-
Hi,
I have enabled the antivirus module, but when I visit the EICAR website and try to download one of the virus test files, the antivirus does not block the file. Why is this so please? I have enabled the antivirus module, enabled it in SAMBA and also in the filter profiles but it does not seem to work :S. Thanks
-
I just tested again and confirm it works here (Zentyal 2.2) :) for HTTP but obviously not for HTTPS 8)
BTW Ive tested all files exposed here (http://www.eicar.org/85-0-Download.html), just to be sure.
Are you sure you're using proxy ?
-
Yepp I am using proxy since I am authenticating the user via proxy too and from the HTTP proxy log file I could see where the user has accessed. When you say HTTP and not HTTPS, what do you mean exactly please? Could I be using HTTPS connection?
-
Hmm ok I know what you meant about HTTP or HTTPS... :). If the file gets blocked by the antivirus, what screen does it show please? If possible would it be a problem to provide me with a screenshot please? Thanks
-
here attached 8)
-
Thanks christian will try it out once I get the other thing sorted....have posted a new topic
-
Hi Christian,
Still no luck with the test file. The screenshot which you have attached, the virus is blocked by the antivirus or else by the content filter? The reason is that the category is set to content scanning.
Also, are you using transparent proxy? Mine is not enabled since I am giving the IP address and port of the proxy server manually. Don't know if that does a difference in regard to virus scanning
-
As you may see if you really read what my screen-shot shows, it states:
"Virus or bad content detected" because anti-virus is indeed active ;)
In order to speed-up investigation, could you please post screen copy of your HTTP proxy settings?
-
Hi Christian,
Sorry for the delay, do you require the configuration file or screenshot of the GUI interface regarding HTTP Proxy? Thanks
-
I guess GUI screenshot is enough if you didn't change conf file manually ;)
-
Attached :)
-
Ah ! you're running Zentyal 3.0 :-X
As far as I remember, there is no option to enable/disable AV content scanning with 3.0
You may look at dansguardian.conf and check whether this is by default enabled or wait for someone using 3.0 to answer.
I've reinstalled 3.0 test box yesterday but not proxy nor anti-virus there. Perhaps later ;)
-
Thanks for your help well hopefully someone will give feedback soon :)
-
Regrettably my 3.0 test machine is shut down but I can confirm successfully testing against the EICAR files (not HTTPS). If I need to retest for some reason I can (and am willing to) do that, but it will be a day or two before I can bring that machine back on line.
-
Hi,
Thanks for your interest. I am currently working via virtual machines and don't know if that does a difference? The client machine is in NAT state and therefore needs to use my physical machine as the gateway to the Internet.
When I click on one of the EICAR virus tests, my physical machine antivirus automatically blocks it as malware obviously. In fact I disabled my antivirus because I thought that it was "cleaning" the malware by itself before it arrives on the virtual machine, but still no luck with that. The other thing which I have done is downloaded the blacklist file from Dansguardian website and blacklisted 2 catgeories - malware and virus something.... When I tried to access the virus test files again, these were not allowed since the site is blacklisted. Obviously it does make sense but after all not all malware sites are listed in the blacklist file so I will surely need the antivirus to work properly.
-
Just to double check with you guys, the proxy IP and port which need to be configured in the browser are the HTTP proxy IP (mine 192.168.1.1) and 3128 right? Thanks
-
Do not take it the wrong way neither as a personal attack but I'm fade up with all this boring stuff about VM side effect when it comes to test something or investigate potential issue.
Except if you do understand the very detail and master it, I would suggest you do not start with VM but rather bare installation.
Once everything works as expected, if it appears that VM fits your needs, let's go VM but do not involve it in the picture if you don't understand whether it could have or not side effect on what you are testing.
Back to your problem:
I've installed http proxy and anti-virus on my sandbox server.
>:( >:( Grrrr ! proxy will not start if "users & groups" is not installed >:( >:( f*%#!? I don't want to authenticate :-X :-X
Anyway, I installed it and started HTTP proxy and made some tests.
Indeed, I can get eicar test file without any warning :o
Investigating further, I discover that dansguardian is not running. I don't know why yet.
Looking at /stubs/squid, dansguardian conf will definitely trigger clam to check for virus but I don't have any dansguardian process running and restarting proxy doesn't restart dansguardian.
On the other hand, there is this undocumented "external-proxy" stuff.
Anyone having perform some reverse engineering to understand what's behind such design ? I never got an answer from Zentyal staff ::)
I'm looking at this right now.
-
looking at /var/log/zentyal/software.log, I notice funny message:
software.log:2013-04-17 10:03:02> adzapper auth-client-config clamav clamav-base clamav-freshclam dansguardian
software.log:2013-04-17 10:03:02> adzapper auth-client-config clamav clamav-base clamav-freshclam dansguardian
software.log:2013-04-17 10:03:10> Get:34 http://us.archive.ubuntu.com/ubuntu/ precise/universe dansguardian i386 2.10.1.1-4 [486 kB]
software.log:2013-04-17 10:03:50> Selecting previously unselected package dansguardian.
software.log:2013-04-17 10:03:50> Unpacking dansguardian (from .../dansguardian_2.10.1.1-4_i386.deb) ...
software.log:2013-04-17 10:03:50> dpkg: warning: version 'dansguardian_2.8.0.6-antivirus-6.4.4.1-4' has bad syntax: version number does not start with digit
software.log:2013-04-17 10:04:39> Setting up dansguardian (2.10.1.1-4) ...
software.log:2013-04-17 10:04:55> Warning: The home dir /var/log/dansguardian you specified already exists.
software.log:2013-04-17 10:04:55> Adding system user `dansguardian' (UID 116) ...
software.log:2013-04-17 10:04:55> Adding new group `dansguardian' (GID 125) ...
software.log:2013-04-17 10:04:55> Adding new user `dansguardian' (UID 116) with group `dansguardian' ...
software.log:2013-04-17 10:04:56> adduser: Warning: The home directory `/var/log/dansguardian' does not belong to the user you are currently creating.
software.log:2013-04-17 10:04:56> The home directory `/var/log/dansguardian' already exists. Not copying from `/etc/skel'.
software.log:2013-04-17 10:04:56> DansGuardian has not been configured!
software.log:2013-04-17 10:04:56> Please edit /etc/dansguardian/dansguardian.conf manually then rerun
Still investigating 8)
-
Go it ;D
It took some time as I'm not used to configure 3.0.
Here is (most likely) where you missed something:
if in proxy access rules you do not set "apply filter profile" which further more as to point to some existing filter profile, then there is no profile applied :D and Dansguardian (that is providing relay to antivirus check), is not involved.
Checking "enable anti-virus" check-box will only for "1" in the dansguardian conf to be sure that clam will be called... but only if you call Dans ;D
Please test and let us know 8)
-
Hi Christian,
I am really really thankful for your help :D.
OK I am currently working with filters and have enabled the antivirus checkbox but still no luck. I am attaching some screenshots to further help the investigation :).
Further to that I have found a website on how to configure Dansguardian + Clamav configuration files and I am noticing some things that are not according to such configuration. I am going to quote from such website (http://www.linuxexpert.ro/Linux-Tutorials/setup-dansguardian-with-squid-and-clamav.html)
1) Open dansguardian.conf and uncomment this line: contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'
OK I have checked this and the line was already un-commented so that's settled.
2) Find the line LocalSocket in /etc/clamd.conf and put the same socket path in contentscanners/clamdscan.conf at clamdudsfile line.
Also keep in mind that both Clamav and DansGuardian must run as the same user.
For that you should check User line in /etc/clamd.conf and daemonuser, daemongroup lines in /etc/dansguardian/contentscanners/clamav.conf
So in this case I have found the LocalSocket in the clamd.conf file and it matches the same socket path in clamdscan.conf.
Now the biggest question is regarding the user of Clamav and DansGuardian which in this case the author is saying they need to be the same user. Now in my case they are NOT. I have tried to change them but when I restart Zentyal server, the users will return back to their old format.
In the /etc/clamd.conf the user is root, while the deamonuser and daemongroup are commented and set as nobody. I have changed the user from root to clamav for both the clamd.conf, deamonuser and deamongroup. Then I would save the files, restart the server and back to square one :S
-
Using Zentyal, except if you want to implement something that has not been taken in account, you are not supposed to edit/modify conf files manually.
At least if you want to modify conf files, do it in /usr/share/zentyal/stubs 8)
So you do confirm that:
- filter profile: you have defined at least one profile with antivirus check box is enabled
- access rules: decision is set to "apply filter profile" pointing to the one having antivirus enabled
- there is no other access rule ;)
and it still doesn't work ?
-
Just removed the other access rule as shown in the previous screenshot and gave a restart....lets see what happens :). So in this case if I need to create other access rules, is there a solution to the problem please? Thanks
-
problem is that if one access rule without filtering applies, then there is no filtering... ::)
So you can have multiple access rules but be cautious so that it does fit your requirements, that's it
-
Clicking on the virus test files....they go through without any blocking :(...don't know what else to test hehhh I am tired thinking lol
-
Clicking on the virus test files....they go through without any blocking
from the cache ?
-
Removed cache files, temp files, dns cache but still no luck. Next....try a different browser and see what happens
-
Still no luck with a different browser. Don't know what else I am going to test. As far as I am concerned I have configured everything correctly. Now or I missed something or don't know.....It worked for you Christian so its surely not a bug :S
-
I don't know why but I'm never facing lot of bugs :-[ perhaps because I'm not using advanced feature ;)
-
Yepp could be....I will keep looking for a solution until now pray to God that something appears
-
OK problem got solved....you know how? Well basically I have connected the virtual machine as bridged mode instead of NAT mode. Reason being is that in NAT mode, the connection was passing through my physical machine antivirus and therefore it was cleaning the virus before entering the virtual machine. Strangely enough I even disabled the antivirus before changing the connection to bridged mode and still it did not work. Hehhh fighting with this problem and it was damn simple...
-
Good !
As written above, VM is.... :-X
well, this is sometimes the right solution... once everything else is under control.
At least it works (I was not expecting something else)