HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.
It is currently 22 Jun 2014 09:52

All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
PostPosted: 09 May 2008 13:54 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
ccc wrote:
/var/log/havp/access.log:
Code:
08/05/2008 19:40:43 127.0.0.1 GET 304 http://www.eicar.org/image/nav/nav_grey.gif 255+0 OK



I don't see http://www.eicar.org/download/eicar.com in the list?

Did you clear your browser cache?


Top
 Profile  
 
PostPosted: 09 May 2008 14:34 
Offline

Joined: 07 May 2008 22:51
Posts: 17
hege wrote:
ccc wrote:
/var/log/havp/access.log:
Code:
08/05/2008 19:40:43 127.0.0.1 GET 304 http://www.eicar.org/image/nav/nav_grey.gif 255+0 OK



I don't see http://www.eicar.org/download/eicar.com in the list?

Did you clear your browser cache?


yep and still doesn't work.

/var/log/havp/access.log:
Code:
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/ 274+2821 OK
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/intl/en_com/images/logo_plain.png 297+7582 OK
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/images/nav_logo3.png 297+6336 OK
09/05/2008 13:30:09 127.0.0.1 GET 200 http://www.google.ch/search? 288+5554 OK
09/05/2008 13:30:13 127.0.0.1 GET 200 http://www.eicar.org/anti_virus_test_file.htm 440+15565 OK
09/05/2008 13:30:13 127.0.0.1 GET 200 http://www.eicar.org/print.css 438+7394 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/eicar_nav.css 439+27279 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/eicar_css.css 439+13780 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/calendar.css 437+1078 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/nav/nav_grey.gif 438+1952 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/about_us/hgk_about_us.jpg 442+21260 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/all/1top_eicar.gif 440+6862 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/all/2top_eicar_logo.gif 439+3323 OK

/var/log/havp/havp.log
Code:
09/05/2008 13:00:06 === Starting HAVP Version: 0.87
09/05/2008 13:00:06 Running as user: havp, group: havp
09/05/2008 13:00:06 Use parent proxy: localhost:8088
09/05/2008 13:00:06 --- Initializing ClamAV Library Scanner
09/05/2008 13:00:06 ClamAV: Using database directory: /var/lib/clamav
09/05/2008 13:00:09 ClamAV: Loaded 278012 signatures (engine 0.92.1)
09/05/2008 13:00:09 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
09/05/2008 13:00:09 --- All scanners initialized
09/05/2008 13:00:09 Process ID: 3219


Top
 Profile  
 
PostPosted: 09 May 2008 14:41 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
ccc wrote:
hege wrote:
ccc wrote:
/var/log/havp/access.log:
Code:
08/05/2008 19:40:43 127.0.0.1 GET 304 http://www.eicar.org/image/nav/nav_grey.gif 255+0 OK



I don't see http://www.eicar.org/download/eicar.com in the list?

Did you clear your browser cache?


yep and still doesn't work.

/var/log/havp/access.log:
Code:
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/ 274+2821 OK
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/intl/en_com/images/logo_plain.png 297+7582 OK
09/05/2008 13:30:06 127.0.0.1 GET 200 http://www.google.ch/images/nav_logo3.png 297+6336 OK
09/05/2008 13:30:09 127.0.0.1 GET 200 http://www.google.ch/search? 288+5554 OK
09/05/2008 13:30:13 127.0.0.1 GET 200 http://www.eicar.org/anti_virus_test_file.htm 440+15565 OK
09/05/2008 13:30:13 127.0.0.1 GET 200 http://www.eicar.org/print.css 438+7394 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/eicar_nav.css 439+27279 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/eicar_css.css 439+13780 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/calendar.css 437+1078 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/nav/nav_grey.gif 438+1952 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/about_us/hgk_about_us.jpg 442+21260 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/all/1top_eicar.gif 440+6862 OK
09/05/2008 13:30:14 127.0.0.1 GET 200 http://www.eicar.org/image/all/2top_eicar_logo.gif 439+3323 OK



There is no eicar.com in this list. Either it's OK or it's VIRUS. It has to be in the log. Otherwise it is coming from cache somewhere.

Try this in your server box, telnet directly to HAVP port and paste the two lines:

Code:
$ telnet localhost 8081
GET http://www.eicar.org/download/eicar.com HTTP/1.0
Host: www.eicar.org

(one empty line after Host: with enter)



Either you get eicar contents or a message from HAVP.


Top
 Profile  
 
PostPosted: 09 May 2008 16:02 
Offline

Joined: 07 May 2008 22:51
Posts: 17
with http://www.eicar.org/download/eicar.com.txt in the browser, it seems to work:
Code:
HAVP - Access Denied

Access to the page has been denied

because the following virus was detected


ClamAV: Eicar-Test-Signature


but if I try to download eicar_com.zip from http://www.eicar.org/download/eicar_com.zip
still doesn't work.
howto prevent download of infected zip ?

btw. using telnet I'm getting this:
Code:
# telnet localhost 8090
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
GET http://www.eicar.org/download/eicar.com HTTP/1.0
Host:

HTTP/1.0 403 Virus found by HAVP
Content-Type: text/html
Proxy-Connection: close
Connection: close

<html><head><title>HAVP - Access Denied</title><style type="text/css"><!--.style1 {     color: #00FFFF; font-weight: bold;}--></style></head><body bgcolor=#FFFFFF><table width=700 height=540 border=0 align="center" cellpadding=2 cellspacing=0><tr bgcolor="#FF6600">       <td height=100 colspan=2 align=center>  <font face=arial,helvetica size=6><strong>HAVP - Access Denied </strong></font></td></tr><tr>   <td align=center valign=bottom width=150 bgcolor=#000066>&nbsp; </td>  <td width=550 bgcolor=#FFFFFF align=center valign=center>        <font face=arial,helvetica color=black size=4>          <br>            Access to the page has been denied <br>        <br>         because the following virus was detected <br>           <br>                    <br>            <font color=red>        <b>ClamAV: Eicar-Test-Signature</b>         </font></font>      <br>            <br>    <br>        </td></tr><tr>  <td align=center valign=middle bgcolor=#000066><span class="style1"><font face=arial,helvetica size=2 >Your        Company Here </font></span> </td>  <td bgcolor=#FFFFFF align=center valign=middle><font face=arial,helvetica size=2> Powered by <a href="http://www.server-side.de" target="_blank">HAVP</a> </font> </td></tr></table></body></html>Connection closed by foreign host.


Top
 Profile  
 
PostPosted: 09 May 2008 17:04 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Well what does the telnet say for the zip?

Does http://www.eicar.org/download/eicar.com work in browser or not?

Please be consistent.

Is your Squid caching before havp? I bet it is. That's why HAVP doesn't even see the requests. If you look at the example, it is mentioned there.


Top
 Profile  
 
PostPosted: 09 May 2008 17:24 
Offline

Joined: 07 May 2008 22:51
Posts: 17
hege wrote:
Well what does the telnet say for the zip?
Code:
# telnet localhost 8090
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
GET http://www.eicar.org/download/eicar_com.zip
Host:

HTTP/1.0 403 Request error by HAVP
Content-Type: text/html
Proxy-Connection: close
Connection: close

<html><head><title>HAVP - Unknown Request</title><style type="text/css"><!--.style1 {   color: #00FFFF; font-weight: bold;}--></style></head><body bgcolor=#FFFFFF><table width=700 height=540 border=0 align="center" cellpadding=2 cellspacing=0><tr bgcolor="#CCCCCC">       <td height=100 colspan=2 align=center>  <font face=arial,helvetica size=6><strong>HAVP</strong></font></td></tr><tr>    <td align=center valign=bottom width=150 bgcolor=#000066>&nbsp; </td>   <td width=550 bgcolor=#FFFFFF align=center valign=center>       <font face=arial,helvetica size=4>      HAVP<br>        <br>    <br>    The request is unknown:<br>     <font color=red>        <b>Invalid request</b>  </font> <font color=black>      <br>   </font></font><br>       <br>  </td></tr><tr>  <td align=center valign=middle bgcolor=#000066><span class="style1"><font face=arial,helvetica size=2> Your        Company Here </font></span> </td>  <td bgcolor=#FFFFFF align=center valign=middle><font face=arial,helvetica size=2> Powered by <a href="http://www.server-side.de" target="_blank">HAVP</a> </font> </td></tr></table></body></html>Connection closed by foreign host.

Quote:
Does http://www.eicar.org/download/eicar.com work in browser or not?
yep

Quote:
Is your Squid caching before havp? I bet it is. That's why HAVP doesn't even see the requests. If you look at the example, it is mentioned there.

I don't know if my Squid is caching before havp.
howto check and change this ?


Top
 Profile  
 
PostPosted: 09 May 2008 17:28 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Quote:
I don't know if my Squid is caching before havp.
howto check and change this ?


Search squid.conf for options like "cache_dir" and "cache".

http://www.squid-cache.org/Versions/v3/3.0/cfgman/

Google some Squid Tutorials if you have no idea what your Squid is doing. You should not run software if you don't know what you want it to do.


Top
 Profile  
 
PostPosted: 09 May 2008 17:43 
Offline

Joined: 07 May 2008 22:51
Posts: 17
but what about this error:
Code:
# telnet localhost 8090
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
GET http://www.eicar.org/download/eicar_com.zip
Host:

HTTP/1.0 403 Request error by HAVP
Content-Type: text/html
Proxy-Connection: close
Connection: close

<html><head><title>HAVP - Unknown Request</title><style type="text/css"><!--.style1 {   color: #00FFFF; font-weight: bold;}--></style></head><body bgcolor=#FFFFFF><table width=700 height=540 border=0 align="center" cellpadding=2 cellspacing=0><tr bgcolor="#CCCCCC">       <td height=100 colspan=2 align=center>  <font face=arial,helvetica size=6><strong>HAVP</strong></font></td></tr><tr>    <td align=center valign=bottom width=150 bgcolor=#000066>&nbsp; </td>   <td width=550 bgcolor=#FFFFFF align=center valign=center>       <font face=arial,helvetica size=4>      HAVP<br>        <br>    <br>    The request is unknown:<br>     <font color=red>        <b>Invalid request</b>  </font> <font color=black>      <br>   </font></font><br>       <br>  </td></tr><tr>  <td align=center valign=middle bgcolor=#000066><span class="style1"><font face=arial,helvetica size=2> Your        Company Here </font></span> </td>  <td bgcolor=#FFFFFF align=center valign=middle><font face=arial,helvetica size=2> Powered by <a href="http://www.server-side.de" target="_blank">HAVP</a> </font> </td></tr></table></body></html>Connection closed by foreign host.

this is independent from squid.


Top
 Profile  
 
PostPosted: 09 May 2008 17:45 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
ccc wrote:
but what about this error:


Here is the what you need to type, forum messed up it a bit..

Code:
GET http://www.eicar.org/download/eicar.com HTTP/1.0
Host: www.eicar.org



Top
 Profile  
 
PostPosted: 09 May 2008 18:11 
Offline

Joined: 07 May 2008 22:51
Posts: 17
you asked me before, what telnet say for the zip so I gave you an answer.
it seems, havp cannot handle or stop zip viruses.


Top
 Profile  
 
PostPosted: 09 May 2008 18:24 
Offline

Joined: 02 Feb 2008 22:24
Posts: 28
Hi ccc,
ccc wrote:
it seems, havp cannot handle or stop zip viruses.

thats not correct
Code:
GET http://meineipadresse.de/testvirus/eicar.zip HTTP/1.0
Host: meineipadresse.de

HTTP/1.0 403 Virus found by HAVP
Content-Type: text/html
Proxy-Connection: close
Connection: close

<html><head><title>HAVP - Zugriff verweigert</title><style type="text/css"><!--.                                                                             style1 {        color: #00FFFF; font-weight: bold;}--></style></head><body bgcol                                                                             or=#FFFFFF><table width=700 height=540 border=0 align="center" cellpadding=2 cel                                                                             lspacing=0><tr bgcolor="#FF6600">       <td height=100 colspan=2 align=center> <                                                                             font face=arial,helvetica size=6><strong>HAVP - Zugriff verweigert</strong></fon                                                                             t></td></tr><tr>        <td align=center valign=bottom width=150 bgcolor=#000066                                                                             >&nbsp; </td>   <td width=550 bgcolor=#FFFFFF align=center valign=center>      <                                                                             font face=arial,helvetica color=black size=4>           <br>            Der Zugr                                                                             iff auf die Seite wurde <br>        <br>            verweigert, weil folgender V                                                                             irus gefunden wurde <br>            <br>                    <br>            <fon                                                                             t color=red>        <b>ClamAV: Eicar-Test-Signature<BR>F-Prot: EICAR_Test_File<B                                                                             R>AVG: EICAR_Test</b>           </font></font>      <br>            <br>                                                                                        <br> </td></tr><tr>  <td align=center valign=middle bgcolor=#000066><span cla                                                                             ss="style1"><font face=arial,helvetica size=2 >XXXX        XXXXX XXXXXXX</font                                                                             ></span> </td>  <td bgcolor=#FFFFFF align=center valign=middle><font face=arial,                                                                             helvetica size=2> Powered by <a href="http://www.server-side.de" target="_blank"                                                                             >HAVP</a> </font> </td></tr></table></body></html>Connection closed by foreign h                                                                             ost.

The same result you get when downloading another fileformat, here a tar-file
Code:
GET http://meineipadresse.de/testvirus/eicar.tar HTTP/1.0
host: meineipadresse.de

HTTP/1.0 403 Virus found by HAVP
Content-Type: text/html
Proxy-Connection: close
Connection: close

Regards Severus


Top
 Profile  
 
PostPosted: 09 May 2008 18:47 
Offline

Joined: 02 Feb 2008 22:24
Posts: 28
Hi ccc,

I guess you should check to what port your havp is listening.
The commands for your debian machine I don't know, but you may try
Code:
netstat -l -p | grep -i listen


then you should get some like
Code:
tcp        0      0 ipcop.local:mdbs_daemon *:*                     LISTEN      17515/(squid)
tcp        0      0 *:amanda                *:*                     LISTEN      892/havp
tcp        0      0 localhost:55555         *:*                     LISTEN      740/avgscan
tcp        0      0 *:10025                 *:*                     LISTEN      1087/proxsmtpd
tcp        0      0 *:scientia-ssdb         *:*                     LISTEN      989/frox
tcp        0      0 *:8110                  *:*                     LISTEN      675/p3scan
tcp        0      0 localhost:783           *:*                     LISTEN      838/spamd -d -i 127
tcp        0      0 *:hosts2-ns             *:*                     LISTEN      399/httpd
tcp        0      0 *:domain                *:*                     LISTEN      17345/dnsmasq
tcp        0      0 *:privoxy               *:*                     LISTEN      1017/privoxy
tcp        0      0 localhost:trisoap       *:*                     LISTEN      754/fpscand
tcp        0      0 *:microsoft-ds          *:*                     LISTEN      399/httpd
tcp        0      0 *:ddm-rdb               *:*                     LISTEN      1390/monit
tcp        0      0 *:rsh-spx               *:*                     LISTEN      444/sshd
unix  2      [ ACC ]     STREAM     LISTENING     6503   725/clamd           /var/log/copfilter/default/opt/clamav/var/run/clamd.socket

If the port is described with a string like here amanda, you have to check the corresponding port on http://gikt.labora.at/GIKT/Grundlagen/portnr.php

Regards Severus


Top
 Profile  
 
PostPosted: 09 May 2008 19:47 
Offline

Joined: 07 May 2008 22:51
Posts: 17
Code:
# netstat -l -p | grep -i listen
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     2760/mysqld
tcp        0      0 *:pop3                  *:*                     LISTEN     2811/inetd
tcp        0      0 *:10002                 *:*                     LISTEN     3010/perl
tcp        0      0 *:ftp                   *:*                     LISTEN     2894/vsftpd
tcp        0      0 ns2.ch.bluee.net:domain *:*                     LISTEN     2440/named
tcp        0      0 localhost.locald:domain *:*                     LISTEN     2440/named
tcp        0      0 localhost.localdoma:ipp *:*                     LISTEN     2591/cupsd
tcp        0      0 localhost.local:omniorb *:*                     LISTEN     2977/(squid)
tcp        0      0 *:3128                  *:*                     LISTEN     2977/(squid)
tcp        0      0 *:smtp                  *:*                     LISTEN     2876/master
tcp        0      0 localhost.localdoma:953 *:*                     LISTEN     2440/named
tcp        0      0 *:8090                  *:*                     LISTEN     2645/havp
tcp6       0      0 *:www                   *:*                     LISTEN     3011/apache2
tcp6       0      0 *:ssh                   *:*                     LISTEN     2890/sshd
tcp6       0      0 *:smtp                  *:*                     LISTEN     2876/master
unix  2      [ ACC ]     STREAM     LISTENING     6055     2591/cupsd          /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     7033     2876/master         public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     6074     2599/dbus-daemon    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     7040     2876/master         private/rewrite
unix  2      [ ACC ]     STREAM     LISTENING     7044     2876/master         private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     7048     2876/master         private/defer
unix  2      [ ACC ]     STREAM     LISTENING     7052     2876/master         private/trace
unix  2      [ ACC ]     STREAM     LISTENING     7056     2876/master         private/verify
unix  2      [ ACC ]     STREAM     LISTENING     7060     2876/master         public/flush
unix  2      [ ACC ]     STREAM     LISTENING     7064     2876/master         private/proxymap
unix  2      [ ACC ]     STREAM     LISTENING     7068     2876/master         private/smtp
unix  2      [ ACC ]     STREAM     LISTENING     7072     2876/master         private/relay
unix  2      [ ACC ]     STREAM     LISTENING     7076     2876/master         public/showq
unix  2      [ ACC ]     STREAM     LISTENING     7080     2876/master         private/error
unix  2      [ ACC ]     STREAM     LISTENING     7084     2876/master         private/local
unix  2      [ ACC ]     STREAM     LISTENING     7088     2876/master         private/virtual
unix  2      [ ACC ]     STREAM     LISTENING     7092     2876/master         private/lmtp
unix  2      [ ACC ]     STREAM     LISTENING     7096     2876/master         private/anvil
unix  2      [ ACC ]     STREAM     LISTENING     7100     2876/master         private/maildrop
unix  2      [ ACC ]     STREAM     LISTENING     7104     2876/master         private/uucp
unix  2      [ ACC ]     STREAM     LISTENING     7108     2876/master         private/ifmail
unix  2      [ ACC ]     STREAM     LISTENING     7112     2876/master         private/bsmtp
unix  2      [ ACC ]     STREAM     LISTENING     7116     2876/master         private/scalemail-backend
unix  2      [ ACC ]     STREAM     LISTENING     7120     2876/master         private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     7124     2876/master         private/scache
unix  2      [ ACC ]     STREAM     LISTENING     7128     2876/master         private/discard
unix  2      [ ACC ]     STREAM     LISTENING     6119     2612/dirmngr        /var/run/dirmngr/socket
unix  2      [ ACC ]     STREAM     LISTENING     6227     2482/clamd          /var/run/clamav/clamd.ctl
unix  2      [ ACC ]     STREAM     LISTENING     6411     2760/mysqld         /var/run/mysqld/mysqld.sock


Top
 Profile  
 
PostPosted: 09 May 2008 20:01 
Offline

Joined: 07 May 2008 22:51
Posts: 17
hi Severus

if I try to download files my squid responds before havp.
could you post pls your squid.conf ?


Top
 Profile  
 
PostPosted: 09 May 2008 20:19 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
ccc wrote:
you asked me before, what telnet say for the zip so I gave you an answer.
it seems, havp cannot handle or stop zip viruses.


You didn't write what I asked you to.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page Previous  1, 2, 3  Next

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group