versions:
squid-2.6.STABLE6-5.el5_1.3
havp-0.89-2.itflex
clamav-0.94.1-1.el5.rf
clamav-devel-0.94.1-1.el5.rf
clamav-db-0.94.1-1.el5.rf
squid.conf
cache_peer localhost parent 8081 0 no-query no-digest no-netdb-exchange default
USER -> HAVP
/var/log/havp/access.log
07/11/2008 11:29:01 10.0.2.10 GET 200
http://www.eicar.org/download/eicarcom2.zip 403+308 VIRUS ClamAV: Eicar-Test-Signature -
BLOCK07/11/2008 11:29:05 10.0.2.10 GET 200
http://www.eicar.org/download/eicarcom2.zip? 403+308 VIRUS ClamAV: Eicar-Test-Signature -
BLOCKUSER -> SQUID -> HAVP
/var/log/squid/access.log
1226065469.573 1292 10.0.2.10 TCP_MISS/200 1022 GET
http://www.eicar.org/download/eicarcom2.zip - DEFAULT_PARENT/localhost text/html -
PASS TO HAVP... /var/log/havp/access.log
07/11/2008 11:50:26 127.0.0.1 GET 200
http://www.eicar.org/download/eicarcom2.zip 365+308 VIRUS ClamAV: Eicar-Test-Signature -
BLOCKBut, now with "?"
/var/log/squid/access.log
1226065489.665 1381 10.0.2.10 TCP_MISS/200 782 GET
http://www.eicar.org/download/eicarcom2.zip? -
DIRECT/88.198.38.136 application/zip -
NOT PASS TO HAVPand starts download the virus.
Looking at the access.log of squid,
DIRECT/88.198.38.136What I need to configure on squid to pass url ended with "?" to havp scan?