HTTP Anti-Virus Proxy :: View topic - Putting a "?" at end of URL to pass the scan.

USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG true
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS false
PORT 8081
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/br
ENABLECLAMLIB true

# Whitelist clamav download
*sourceforge.net/*clamav-*
# Whitelist Windowsupdate, so RANGE is allowed too
*.microsoft.com/*
*.windowsupdate.com/*

cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default

USER havp
GROUP havp
DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 8
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log
USESYSLOG true
SYSLOGNAME havp
SYSLOGFACILITY daemon
SYSLOGLEVEL info
LOG_OKS false
LOGLEVEL 0
SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
TEMPDIR /var/tmp
DBRELOAD 60
TRANSPARENT false
Default: NONE
PARENTPROXY localhost
PARENTPORT 3128
FORWARDED_IP false
X_FORWARDED_FOR false
PORT 8081
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/br
WHITELISTFIRST true
WHITELIST /etc/havp/whitelist
BLACKLIST /etc/havp/blacklist
FAILSCANERROR true
SCANNERTIMEOUT 10
RANGE false
SCANIMAGES true
MAXSCANSIZE 5000000
KEEPBACKBUFFER 200000
KEEPBACKTIME 5
Default:
TRICKLING 30
TRICKLINGBYTES 1
MAXDOWNLOADSIZE 0
STREAMSCANSIZE 20000
DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP
ENABLECLAMLIB true
CLAMDBDIR /path/to/directory
CLAMBLOCKBROKEN false
CLAMBLOCKENCRYPTED false
CLAMBLOCKMAX false
CLAMMAXSCANSIZE 20
CLAMMAXFILES 50
CLAMMAXFILESIZE 100
CLAMMAXRECURSION 8
CLAMMAXRATIO 250

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
# Note: never_direct overrides this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

hierarchy_stoplist cgi-bin

Author:	renanas [ 04 Nov 2008 13:46 ]
Post subject:	Putting a "?" at end of URL to pass the scan.
Hello, I noticed that the trick of put a question mark "?" at the end of url works with HAVP. This is a regex trick to cheat some proxys. With you have a blocked file like "http://www.eicar.org/download/eicar_com.zip" and put the "?" at end "http://www.eicar.org/download/eicar_com.zip?" you are allowed to download the file. I'm running the latest version of HAVP with libclam support. I tried to put some regex code to block that trick at the blacklist, but didn't works. Anyone knows how proceed? Renan.

Author:	Severus [ 04 Nov 2008 15:10 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Hi renanas, sorry, but I can't confirm this bug: 04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test 04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test regards Severus

Author:	renanas [ 04 Nov 2008 16:12 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Ok, This is my situation: users -> squid -> havp -> web havp.config Code: USER havp GROUP havp DAEMON true PIDFILE /var/run/havp/havp.pid ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY daemon SYSLOGLEVEL info LOG_OKS false PORT 8081 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/br ENABLECLAMLIB true whitelist Code: # Whitelist clamav download sourceforge.net/clamav-* # Whitelist Windowsupdate, so RANGE is allowed too .microsoft.com/ .windowsupdate.com/ blacklist is empty. squid.conf (havp line only) Code: cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default Any ideia?

Author:	Severus [ 04 Nov 2008 21:19 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Hi, what about your scanning limits in havp.conf and clamd.conf ? Regards Severus

Author:	fischerm [ 04 Nov 2008 21:40 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Hi! Havp version? Clamav version? Scanning options? Regards Matthias Hm...only second place...

HTTP Anti-Virus Proxy http://havp.hege.li/forum/

Putting a "?" at end of URL to pass the scan. http://havp.hege.li/forum/viewtopic.php?f=3&t=395	Page 1 of 1

Author:	renanas [ 04 Nov 2008 22:09 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Quote: Havp version? Clamav version? Scanning options? Havp 0.89 Clamav 0.92 Just using default libclamav with default setting. Quote: what about your scanning limits in havp.conf and clamd.conf ? Default settings too. Here's my entire config: Code: USER havp GROUP havp DAEMON true PIDFILE /var/run/havp/havp.pid SERVERNUMBER 8 MAXSERVERS 100 ACCESSLOG /var/log/havp/access.log ERRORLOG /var/log/havp/havp.log USESYSLOG true SYSLOGNAME havp SYSLOGFACILITY daemon SYSLOGLEVEL info LOG_OKS false LOGLEVEL 0 SCANTEMPFILE /var/tmp/havp/havp-XXXXXX TEMPDIR /var/tmp DBRELOAD 60 TRANSPARENT false Default: NONE PARENTPROXY localhost PARENTPORT 3128 FORWARDED_IP false X_FORWARDED_FOR false PORT 8081 BIND_ADDRESS 127.0.0.1 TEMPLATEPATH /etc/havp/templates/br WHITELISTFIRST true WHITELIST /etc/havp/whitelist BLACKLIST /etc/havp/blacklist FAILSCANERROR true SCANNERTIMEOUT 10 RANGE false SCANIMAGES true MAXSCANSIZE 5000000 KEEPBACKBUFFER 200000 KEEPBACKTIME 5 Default: TRICKLING 30 TRICKLINGBYTES 1 MAXDOWNLOADSIZE 0 STREAMSCANSIZE 20000 DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP ENABLECLAMLIB true CLAMDBDIR /path/to/directory CLAMBLOCKBROKEN false CLAMBLOCKENCRYPTED false CLAMBLOCKMAX false CLAMMAXSCANSIZE 20 CLAMMAXFILES 50 CLAMMAXFILESIZE 100 CLAMMAXRECURSION 8 CLAMMAXRATIO 250

Author:	renanas [ 04 Nov 2008 22:17 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Severus wrote: Hi renanas, sorry, but I can't confirm this bug: 04/11/2008 13:03:53 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.com? 268+68 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test 04/11/2008 13:04:44 127.0.0.1 GET 200 http://meineipadresse.de/testvirus/eicar.cab? 252+150 VIRUS ClamAV: Eicar-Test-Signature, F-Prot: EICAR_Test_File, AVG: EICAR_Test regards Severus Could you send me our config file?

Author:	hege [ 04 Nov 2008 22:30 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters. Please show some HAVP logs to prove that both cases are even processed by HAVP! Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP.

Author:	Severus [ 04 Nov 2008 22:37 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Hi renanas, renanas wrote: Clamav 0.92 Your clamav is pretty old. I remember there have been some issues with eicar in 0.92 and 0.93. You should first update to 0.94.1 Regards Severus

Author:	renanas [ 04 Nov 2008 22:56 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
hege wrote: There's absolutely nothing in HAVP or ClamAV that use filename or URL for any purpose. It's the incoming data what matters. Please show some HAVP logs to prove that both cases are even processed by HAVP! Most likely there's some caching or bad configuration in Squid to prevent the other request even getting to HAVP. Just got it. That's something with "USER -> SQUID -> HAVP -> WEB" ambient. I tested the access only with HAVP (USER -> HAVP -> WEB) and the scan block even i use "?" at the end of url. Now i have to found the SQUID fail. Regards, Renan.

Author:	renanas [ 07 Nov 2008 16:56 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
versions: squid-2.6.STABLE6-5.el5_1.3 havp-0.89-2.itflex clamav-0.94.1-1.el5.rf clamav-devel-0.94.1-1.el5.rf clamav-db-0.94.1-1.el5.rf squid.conf cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default USER -> HAVP /var/log/havp/access.log 07/11/2008 11:29:01 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK 07/11/2008 11:29:05 10.0.2.10 GET 200 http://www.eicar.org/download/eicarcom2.zip? 403+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK USER -> SQUID -> HAVP /var/log/squid/access.log 1226065469.573 1292 10.0.2.10 TCP_MISS/200 1022 GET http://www.eicar.org/download/eicarcom2.zip - DEFAULT_PARENT/localhost text/html - PASS TO HAVP... /var/log/havp/access.log 07/11/2008 11:50:26 127.0.0.1 GET 200 http://www.eicar.org/download/eicarcom2.zip 365+308 VIRUS ClamAV: Eicar-Test-Signature - BLOCK But, now with "?" /var/log/squid/access.log 1226065489.665 1381 10.0.2.10 TCP_MISS/200 782 GET http://www.eicar.org/download/eicarcom2.zip? - DIRECT/88.198.38.136 application/zip - NOT PASS TO HAVP and starts download the virus. Looking at the access.log of squid, DIRECT/88.198.38.136 What I need to configure on squid to pass url ended with "?" to havp scan?

Author:	OlivierW [ 29 Mar 2009 01:32 ]
Post subject:	Re: Putting a "?" at end of URL to pass the scan.
Hello renanas, My answer is certainly very late... anyway, it may help others persons. In squid.conf, you have : Code: # TAG: hierarchy_stoplist # A list of words which, if found in a URL, cause the object to # be handled directly by this cache. In other words, use this # to not query neighbor caches for certain objects. You may # list this option multiple times. # Note: never_direct overrides this option. #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? Remove the question mark to get : Code: hierarchy_stoplist cgi-bin Problem solved

Page 1 of 1	All times are UTC + 2 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/