HTTP Anti-Virus Proxy

Hi,

I set up HAVP filtering for my company some monthes ago, and we have some strange result while downloading big file (usually more than 100Mb).
The size of the downloaded file is not the right one, so the file is damaged and unusable. A really strange thing is that this size changes depanding of the browser !
Example : source file 250MB
With Internet Explorer : 245MB
With Firefox : 239MB

The only error on logs are :
16/03/2007 10:00:52 127.0.0.1 GET 200 http://xxxxx/yyyy.exe 277+248975048 VIRUS ClamAV: Broken.Executable

Did someone already solved this issue ?

Version used :
HAVP 0.84
Clamav : 0.90
Running on Linux Slackware.

Marc.

Are you using clamd or clamlib? For some reason you have DetectBrokenExecutables enabled. It is not on by default.

If it's enabled and downloaded file is bigger than MAXSCANSIZE, there's a good chance it will think it's broken. Which it is, since scanner doesn't see the rest of the file..

I guess I'll do a config option to next version where you can ignore viruses by name, like "Oversized" and "Broken.Executable"..

Cheers,
Henrik

Hi,

we are using clamlib. Is this option "DetectBrokenExe" is for HAVP or Clamav ?
My config for HAVP is :
USER squid
GROUP squid
SERVERNUMBER 100
MAXSERVERS 250
LOG_OKS false
PORT 8010
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/fr
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
MAXSCANSIZE 150000000
ENABLECLAMLIB true
CLAMMAXFILESIZE 50
ENABLECLAMD false
ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false

(HAVP is a parent proxy for Squid).

According to all my tests, it seems that the CLAMMAXFILESIZE is non working (not sure, but the CPU usage is quite high for a long time, and this time changes depanding on the size of the download).

I will look for the unwanted option and try to compile without.

Marc.

DetectBrokenExecutables is in clamd.conf.

Are you using packaged ClamAV or own compile? It's possible that some package has it enabled by default..

Also your MAXSCANSIZE is way too big. I would set it at 5000000. It serves no purpose to scan some huge zips or isos completely..

ClamAV is always compiled on our systems to fit Slackware installation way (I built package to deploy on several servers).
According to the man page, DetectBrokenExe is set to NO by default... I will add the entry in clamd.conf to force the value.
I will also reduce MAXSCANSIZE to 50MB (the size was because of 1 big exe file saw few weeks ago which include a virus).

Marc.

Hi,

I think the pb is solved... don't know why in details, but I've upgraded everything (HAVP to 0.85 and ClamAV to 0.90.1)...

Will put this on production servers to check with real traffic (and not only me).

While compiling I saw that all "configure" option are not used as they should, so installation is not made in the expected directory. I will update the configure script to correct this. Where should I put the updated version so you can have a look on it ? I will also include a feature to use a make install DESTDIR=xxx as it's needed to have a good Slackware package (at least).

Marc.

It's already fixed..

http://havp.hege.li/download/havp-0.86pre.tar.gz

Hum... very strange : I made some updates last friday to solve the problem. During all the day everything works fine, and since this morning I've got exactly the same problem of "Broken Executable !"

Using clamscan don't show the same error, so I don't know if it's a HAVP or ClamAV problem...

Is there a way to bypass this (without removing HAVP from proxies ?)

Marc.

I can only think of one reason. Maybe you have some old clamav.h hanging around when compiling HAVP.

find / -name clamav.h

And remember to rm -f libclamav.* before installing ClamAV.

Anyways, if you don't want to find out the real cause, then download 0.86pre (I just updated it), it has IGNOREVIRUS and/or CLAMDETECTBROKEN settings which you can use.