HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.


All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
PostPosted: 04 Nov 2008 13:46 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
Hello,

I noticed that the trick of put a question mark "?" at the end of url works with HAVP. This is a regex trick to cheat some proxys.

With you have a blocked file like "http://www.eicar.org/download/eicar_com.zip" and put the "?" at end "http://www.eicar.org/download/eicar_com.zip?" you are allowed to download the file.

I'm running the latest version of HAVP with libclam support. I tried to put some regex code to block that trick at the blacklist, but didn't works.

Anyone knows how proceed?

Renan.


Top
 Profile  
 
PostPosted: 04 Nov 2008 15:10 
Offline

Joined: 02 Feb 2008 22:24
Posts: 28
Hi renanas,

sorry, but I can't confirm this bug:

04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test
04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test

regards Severus


Top
 Profile  
 
PostPosted: 04 Nov 2008 16:12 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
Ok,

This is my situation:

users -> squid -> havp -> web

havp.config
Code:
USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG true
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS false
PORT 8081
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/br
ENABLECLAMLIB true


whitelist
Code:
# Whitelist clamav download
*sourceforge.net/*clamav-*
# Whitelist Windowsupdate, so RANGE is allowed too
*.microsoft.com/*
*.windowsupdate.com/*


blacklist is empty.

squid.conf (havp line only)
Code:
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default


Any ideia?


Top
 Profile  
 
PostPosted: 04 Nov 2008 21:19 
Offline

Joined: 02 Feb 2008 22:24
Posts: 28
Hi,

what about your scanning limits in havp.conf and clamd.conf ?

Regards Severus


Top
 Profile  
 
PostPosted: 04 Nov 2008 21:40 
Offline

Joined: 28 Mar 2008 10:50
Posts: 18
Hi!

Havp version?
Clamav version?
Scanning options?

Regards

Matthias

Hm...only second place... :cry:


Top
 Profile  
 
PostPosted: 04 Nov 2008 22:09 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
Quote:
Havp version?
Clamav version?
Scanning options?


Havp 0.89
Clamav 0.92

Just using default libclamav with default setting.

Quote:
what about your scanning limits in havp.conf and clamd.conf ?


Default settings too.

Here's my entire config:

Code:
USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 8
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG true
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS false
LOGLEVEL 0
SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
TEMPDIR /var/tmp
DBRELOAD 60
TRANSPARENT false
Default: NONE
PARENTPROXY localhost
PARENTPORT 3128
FORWARDED_IP false
X_FORWARDED_FOR false
PORT 8081
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/br
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANNERTIMEOUT 10
RANGE false
SCANIMAGES true
MAXSCANSIZE 5000000
KEEPBACKBUFFER 200000
KEEPBACKTIME 5
Default:
TRICKLING 30
TRICKLINGBYTES 1
MAXDOWNLOADSIZE 0
STREAMSCANSIZE 20000
DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP
ENABLECLAMLIB true
CLAMDBDIR /path/to/directory
CLAMBLOCKBROKEN false
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
CLAMMAXSCANSIZE 20
CLAMMAXFILES 50
CLAMMAXFILESIZE 100
CLAMMAXRECURSION 8
CLAMMAXRATIO 250


Top
 Profile  
 
PostPosted: 04 Nov 2008 22:17 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
Severus wrote:
Hi renanas,

sorry, but I can't confirm this bug:

04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test
04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test

regards Severus


Could you send me our config file?


Top
 Profile  
 
PostPosted: 04 Nov 2008 22:30 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters.

Please show some HAVP logs to prove that both cases are even processed by HAVP!

Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP.


Top
 Profile  
 
PostPosted: 04 Nov 2008 22:37 
Offline

Joined: 02 Feb 2008 22:24
Posts: 28
Hi renanas,

renanas wrote:
Clamav 0.92


Your clamav is pretty old. I remember there have been some issues with eicar in 0.92 and 0.93.
You should first update to 0.94.1

Regards Severus


Top
 Profile  
 
PostPosted: 04 Nov 2008 22:56 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
hege wrote:
There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters.

Please show some HAVP logs to prove that both cases are even processed by HAVP!

Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP.


Just got it. That's something with "USER -> SQUID -> HAVP -> WEB" ambient.

I tested the access only with HAVP (USER -> HAVP -> WEB) and the scan block even i use "?" at the end of url.

Now i have to found the SQUID fail.

Regards,
Renan.


Top
 Profile  
 
PostPosted: 07 Nov 2008 16:56 
Offline

Joined: 04 Nov 2008 13:28
Posts: 6
versions:
squid-2.6.STABLE6-5.el5_1.3
havp-0.89-2.itflex
clamav-0.94.1-1.el5.rf
clamav-devel-0.94.1-1.el5.rf
clamav-db-0.94.1-1.el5.rf

squid.conf
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default


USER -> HAVP
/var/log/havp/access.log
07/11/2008 11:29:01 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK
07/11/2008 11:29:05 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip? 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK

USER -> SQUID -> HAVP
/var/log/squid/access.log
1226065469.573 1292 10.0.2.10 TCP_MISS/200 1022 GET http://www.eicar.org/download/eicarcom2.zip - DEFAULT_PARENT/localhost text/html - PASS TO HAVP...

/var/log/havp/access.log
07/11/2008 11:50:26 127.0.0.1 GET 200 http://www.eicar.org/download/eicarcom2.zip 365+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK

But, now with "?"
/var/log/squid/access.log
1226065489.665 1381 10.0.2.10 TCP_MISS/200 782 GET http://www.eicar.org/download/eicarcom2.zip? - DIRECT/88.198.38.136 application/zip - NOT PASS TO HAVP

and starts download the virus.

Looking at the access.log of squid, DIRECT/88.198.38.136

What I need to configure on squid to pass url ended with "?" to havp scan?


Top
 Profile  
 
PostPosted: 29 Mar 2009 01:32 
Offline

Joined: 29 Mar 2009 01:24
Posts: 1
Location: Lyon, France
Hello renanas,

My answer is certainly very late... anyway, it may help others persons.

In squid.conf, you have :
Code:
#  TAG: hierarchy_stoplist
#       A list of words which, if found in a URL, cause the object to
#       be handled directly by this cache.  In other words, use this
#       to not query neighbor caches for certain objects.  You may
#       list this option multiple times.
#       Note: never_direct overrides this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?


Remove the question mark to get :
Code:
hierarchy_stoplist cgi-bin


Problem solved :-)

_________________
PC Tuning, personal homepage
O2 Graphics, web agency in Saint-Étienne, France


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group