I'm running HAVP as a parent proxy for our squid:
>egrep -v '^#|^$|false$' /etc/havp/havp.config
SERVERNUMBER 40
MAXSERVERS 150
LOGLEVEL 1
SCANTEMPFILE /cache/havp/havp-XXXXXX
PARENTPROXY 127.0.0.1
PARENTPORT 6868
PORT 7979
BIND_ADDRESS 127.0.0.1
TEMPLATEPATH /etc/havp/templates/interhyp
WHITELIST /etc/havp/whitelist
STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS
ENABLECLAMLIB true
Unfortunately, this one request slips through:
15/05/2010 14:31:00 127.0.0.1 GET 200
http://www.freihaus-brenner.de/ 343+10284 OK
Whereas:
>wget -O/tmp/virus.txt
http://www.freihaus-brenner.de/ ; clamscan -v /tmp/virus.txt
--2010-05-15 14:36:31--
http://www.freihaus-brenner.de/Connecting to 127.0.0.1:7979... connected.
Proxy request sent, awaiting response... 200 OK
Length: 10284 (10K) [text/html]
Saving to: `/tmp/virus.txt'
100%[===================================================================================================================================================================================================>] 10,284 --.-K/s in 0s
2010-05-15 14:36:31 (161 MB/s) - `/tmp/virus.txt' saved [10284/10284]
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON'T PANIC! Read
http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
Scanning /tmp/virus.txt
/tmp/virus.txt: JS.Agent-64 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 772662
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.50:1)
Time: 2.143 sec (0 m 2 s)
One thing I noted:
>tail /var/log/havp/error.log
15/05/2010 14:12:56 === Starting HAVP Version: 0.91
15/05/2010 14:12:56 Running as user: havp, group: havp
15/05/2010 14:12:56 Use parent proxy: 127.0.0.1:6868
15/05/2010 14:12:56 --- Initializing ClamAV Library Scanner
15/05/2010 14:12:56 ClamAV: Using database directory: /var/clamav
15/05/2010 14:12:57 ClamAV: Loaded 769919 signatures (engine 0.95.3)
15/05/2010 14:12:57 ClamAV Library Scanner passed EICAR virus test (Eicar-Test-Signature)
15/05/2010 14:12:57 --- All scanners initialized
15/05/2010 14:12:57 Process ID: 28840
The number of available virus signatures seems to differ - I don't know if that is of any relevance.
Can anyone help me debug why this malware isn't caught?