| HTTP Anti-Virus Proxy http://havp.hege.li/forum/ |
|
| HAVP and big download http://havp.hege.li/forum/viewtopic.php?f=3&t=220 |
Page 1 of 1 |
| Author: | marc78 [ 16 Mar 2007 16:47 ] |
| Post subject: | HAVP and big download |
Hi, I set up HAVP filtering for my company some monthes ago, and we have some strange result while downloading big file (usually more than 100Mb). The size of the downloaded file is not the right one, so the file is damaged and unusable. A really strange thing is that this size changes depanding of the browser ! Example : source file 250MB With Internet Explorer : 245MB With Firefox : 239MB The only error on logs are : 16/03/2007 10:00:52 127.0.0.1 GET 200 http://xxxxx/yyyy.exe 277+248975048 VIRUS ClamAV: Broken.Executable Did someone already solved this issue ? Version used : HAVP 0.84 Clamav : 0.90 Running on Linux Slackware. Marc. |
|
| Author: | hege [ 16 Mar 2007 20:25 ] |
| Post subject: | |
Are you using clamd or clamlib? For some reason you have DetectBrokenExecutables enabled. It is not on by default. If it's enabled and downloaded file is bigger than MAXSCANSIZE, there's a good chance it will think it's broken. Which it is, since scanner doesn't see the rest of the file.. I guess I'll do a config option to next version where you can ignore viruses by name, like "Oversized" and "Broken.Executable".. Cheers, Henrik |
|
| Author: | marc78 [ 21 Mar 2007 17:00 ] |
| Post subject: | |
Hi, we are using clamlib. Is this option "DetectBrokenExe" is for HAVP or Clamav ? My config for HAVP is : USER squid GROUP squid SERVERNUMBER 100 MAXSERVERS 250 LOG_OKS false PORT 8010 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/fr WHITELIST /etc/havp/whitelist BLACKLIST /etc/havp/blacklist MAXSCANSIZE 150000000 ENABLECLAMLIB true CLAMMAXFILESIZE 50 ENABLECLAMD false ENABLEFPROT false ENABLEAVG false ENABLEAVESERVER false ENABLESOPHIE false ENABLETROPHIE false ENABLENOD32 false ENABLEAVAST false (HAVP is a parent proxy for Squid). According to all my tests, it seems that the CLAMMAXFILESIZE is non working (not sure, but the CPU usage is quite high for a long time, and this time changes depanding on the size of the download). I will look for the unwanted option and try to compile without. Marc. |
|
| Author: | hege [ 21 Mar 2007 18:29 ] |
| Post subject: | |
DetectBrokenExecutables is in clamd.conf. Are you using packaged ClamAV or own compile? It's possible that some package has it enabled by default.. Also your MAXSCANSIZE is way too big. I would set it at 5000000. It serves no purpose to scan some huge zips or isos completely.. |
|
| Author: | marc78 [ 22 Mar 2007 11:49 ] |
| Post subject: | |
ClamAV is always compiled on our systems to fit Slackware installation way (I built package to deploy on several servers). According to the man page, DetectBrokenExe is set to NO by default... I will add the entry in clamd.conf to force the value. I will also reduce MAXSCANSIZE to 50MB (the size was because of 1 big exe file saw few weeks ago which include a virus). Marc. |
|
| Author: | marc78 [ 22 Mar 2007 13:59 ] |
| Post subject: | |
Hi, I think the pb is solved... don't know why in details, but I've upgraded everything (HAVP to 0.85 and ClamAV to 0.90.1)... Will put this on production servers to check with real traffic (and not only me). While compiling I saw that all "configure" option are not used as they should, so installation is not made in the expected directory. I will update the configure script to correct this. Where should I put the updated version so you can have a look on it ? I will also include a feature to use a make install DESTDIR=xxx as it's needed to have a good Slackware package (at least). Marc. |
|
| Author: | hege [ 22 Mar 2007 19:01 ] |
| Post subject: | |
marc78 wrote: While compiling I saw that all "configure" option are not used as they should, so installation is not made in the expected directory. I will update the configure script to correct this. Where should I put the updated version so you can have a look on it ? I will also include a feature to use a make install DESTDIR=xxx as it's needed to have a good Slackware package (at least).
It's already fixed.. http://havp.hege.li/download/havp-0.86pre.tar.gz |
|
| Author: | marc78 [ 26 Mar 2007 12:19 ] |
| Post subject: | |
Hum... very strange : I made some updates last friday to solve the problem. During all the day everything works fine, and since this morning I've got exactly the same problem of "Broken Executable !" Using clamscan don't show the same error, so I don't know if it's a HAVP or ClamAV problem... Is there a way to bypass this (without removing HAVP from proxies ?) Marc. |
|
| Author: | hege [ 26 Mar 2007 14:56 ] |
| Post subject: | |
I can only think of one reason. Maybe you have some old clamav.h hanging around when compiling HAVP. find / -name clamav.h And remember to rm -f libclamav.* before installing ClamAV. Anyways, if you don't want to find out the real cause, then download 0.86pre (I just updated it), it has IGNOREVIRUS and/or CLAMDETECTBROKEN settings which you can use. |
|
| Page 1 of 1 | All times are UTC + 2 hours [ DST ] |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|