HTTP Anti-Virus Proxy

Official HAVP Support Forum
Registration disabled, I'm tired of spambots. E-mail havp@hege.li if you have questions.
HAVP project is pretty much frozen/abandoned at this time anyway.


All times are UTC + 2 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: 15 May 2010 15:39 
Offline

Joined: 15 May 2010 15:33
Posts: 2
I'm running HAVP as a parent proxy for our squid:

>egrep -v '^#|^$|false$' /etc/havp/havp.config
SERVERNUMBER 40
MAXSERVERS 150
LOGLEVEL 1
SCANTEMPFILE /cache/havp/havp-XXXXXX
PARENTPROXY 127.0.0.1
PARENTPORT 6868
PORT 7979
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/interhyp
WHITELIST /etc/havp/whitelist
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true

Unfortunately, this one request slips through:

15/05/2010 14:31:00 127.0.0.1 GET 200 http://www.freihaus-brenner.de/ 343+10284 OK

Whereas:

>wget -O/tmp/virus.txt http://www.freihaus-brenner.de/ ; clamscan -v /tmp/virus.txt
--2010-05-15 14:36:31-- http://www.freihaus-brenner.de/
Connecting to 127.0.0.1:7979... connected.
Proxy request sent, awaiting response... 200 OK
Length: 10284 (10K) [text/html]
Saving to: `/tmp/virus.txt'

100%[===================================================================================================================================================================================================>] 10,284 --.-K/s in 0s

2010-05-15 14:36:31 (161 MB/s) - `/tmp/virus.txt' saved [10284/10284]

LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
Scanning /tmp/virus.txt
/tmp/virus.txt: JS.Agent-64 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 772662
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.50:1)
Time: 2.143 sec (0 m 2 s)

One thing I noted:

>tail /var/log/havp/error.log
15/05/2010 14:12:56 === Starting HAVP Version: 0.91
15/05/2010 14:12:56 Running as user: havp, group: havp
15/05/2010 14:12:56 Use parent proxy: 127.0.0.1:6868
15/05/2010 14:12:56 --- Initializing ClamAV Library Scanner
15/05/2010 14:12:56 ClamAV: Using database directory: /var/clamav
15/05/2010 14:12:57 ClamAV: Loaded 769919 signatures (engine 0.95.3)
15/05/2010 14:12:57 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
15/05/2010 14:12:57 --- All scanners initialized
15/05/2010 14:12:57 Process ID: 28840

The number of available virus signatures seems to differ - I don't know if that is of any relevance.

Can anyone help me debug why this malware isn't caught?


Top
 Profile  
 
PostPosted: 16 May 2010 13:11 
Offline

Joined: 23 Apr 2008 09:36
Posts: 101
Is it possible, that this virus was in your browser cache?
I made some tests and this is my result:
Code:
15/05/2010 18:27:17 127.0.0.1 GET 200 http://www.freihaus-brenner.de/ 237+10284 VIRUS ClamAV: JS.Agent-64

I used clamav 0.96 and havp 0.92pre1 for this tests
Quote:
The number of available virus signatures seems to differ - I don't know if that is of any relevance.

This is correct, but can't say why! This is a question, which hege could answer (I hope)


Top
 Profile  
 
PostPosted: 16 May 2010 14:13 
Offline
HAVP Developer

Joined: 27 Feb 2006 18:12
Posts: 687
Location: Finland
Quote:
The number of available virus signatures seems to differ - I don't know if that is of any relevance.


Probably clamscan loads phishing sigs and HAVP doesn't. You could try clamscan --phishing-sigs=no (not sure if it's called that in 0.95.3 but see --help).


Top
 Profile  
 
PostPosted: 16 May 2010 16:02 
Offline

Joined: 23 Apr 2008 09:36
Posts: 101
No, I don't use pishing signatures. There is really a difference:
Code:
16/05/2010 14:55:23 === Starting HAVP Version: 0.91
16/05/2010 14:55:23 Running as user: havp, group: havp
16/05/2010 14:55:23 --- Initializing ClamAV Library Scanner
16/05/2010 14:55:23 ClamAV: Using database directory: /var/lib/clamav
16/05/2010 14:55:30 ClamAV: Loaded 771985 signatures (engine 0.96)
16/05/2010 14:55:30 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
16/05/2010 14:55:30 --- All scanners initialized

(same to havp-0.92pre1) and clamav:
Code:
./clamscan --phishing-sigs=no /root/ripmime.tar.gz
/root/ripmime.tar.gz: OK

----------- SCAN SUMMARY -----------
Known viruses: 772246
Engine version: 0.96
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.31 MB
Data read: 0.05 MB (ratio 6.67:1)
Time: 8.037 sec (0 m 8 s)


regards


Top
 Profile  
 
PostPosted: 16 May 2010 17:34 
Offline

Joined: 15 May 2010 15:33
Posts: 2
The virus was definitely not in the browser cache, due to wget's lack of any cache. Which further debugging data do I have to provide to narrow down that problem? I have already verified that HAVP and clamscan are using the same database directory. I verified that the file really passed through HAVP (i.e. it was not in the downstream proxy's cache) by requesting it directly from HAVP.

If nobody here as any further ideas, I'd have HAVP access clamd via socket to see if this is indeed some problem with the way HAVP interacts with libclamav.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 2 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group