Nick Howitt wrote:

Shaoxin Peng wrote:

I am also having the same problem. I can download EICAR test files freely.

Download to what? It should protect LAN machines if they are running the content filter and, perhaps the proxy on its own in non-transparent mode. In transparent mode the proxy cannot intercept https so clamav cannot protect you.

I am not sure there is any protection when downloading to the server. I'll have to ask - and I've just missed my Friday call to ask.

Thanks for the hint, Nick! I realized it's because I did not install the content filter. After installing it, antivirus works for LAN machine.

Shaoxin Peng wrote:

I am also having the same problem. I can download EICAR test files freely.

Download to what? It should protect LAN machines if they are running the content filter and, perhaps the proxy on its own in non-transparent mode. In transparent mode the proxy cannot intercept https so clamav cannot protect you.

I am not sure there is any protection when downloading to the server. I'll have to ask - and I've just missed my Friday call to ask.

I am also having the same problem. I can download EICAR test files freely.

The clamd service is running. Manually run clamscan can identify the virus.

ClearOS doesn't hold back the Eica test file. I'm going to install the proxy and then look what happens. I'll report back.

Marcel van Leeuwen wrote:
So I have to set the proxy to detect the virus when downloading the test file on my MacBook.

I don't know about that. If you download without the proxy to your MacBook with https, there is no way ClamAV can inspect the traffic. If you use http, it may or may not download. I have a feeling it does download as the Eicar test file tripped my PC's scanner (so I assume got through ClearOS) and I can find nothing in the ClearOS logs. I am pretty certain the proxy does scan, but I have no idea if you need the content filter as well as I don't use either. Have a play and post back.

First thank you Ben for clarifying. Also thank you Nick. I think I was a bit inpatient.

Going to test and experiment with ClamAV this weekend.

I did a fast check. I downloaded this test file to my tmp directory on my server and with "clamscan" it detects the file. It also found a virus in a plugin of Plex. Not sure if this is false positive, but his is something else to investigate. So I have to set the proxy to detect the virus when downloading the test file on my MacBook. Interesting. I think I have to do some home work this weekend.

I was going to chip in but was having my dinner. As far as I am aware ClamAV is a background service, but it hooks onto the proxy, e-mails and, somehow, downloads without the proxy. It can also be invoked when you request an on-demand scan then clamscan is called (like on the nightly scan).

It is not the most effective scanner in the world and takes ages to scan. For an on-demand scan I had to hack the clamscan script to exclude the images created by my security camera in order to get the scan to take a sensible time. (There is a feature request for this)

I would also never rely on it for full protection of the network. Any PC downloading using https without a non-transparent proxy will bypass the scanner.

Anyone is welcome to chip in as my first paragraph may be wide of the mark.

You can try this simple test:

# wget www.eicar.org/download/eicar.com.txt" target="_blank">http://www.eicar.org/download/eicar.com.txt

--2018-06-28 13:59:54--  www.eicar.org/download/eicar.com.txt" target="_blank">http://www.eicar.org/download/eicar.com.txt

Resolving www.eicar.org (www.eicar.org)... 213.211.198.62

Connecting to www.eicar.org (www.eicar.org)|213.211.198.62|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 68 [application/octet-stream]

Saving to: ‘eicar.com.txt’



100%[====================================================================================================>] 68          --.-K/s   in 0s      



2018-06-28 13:59:54 (11.7 MB/s) - ‘eicar.com.txt’ saved [68/68]



# clamscan  eicar.com.txt 

eicar.com.txt: Eicar-Test-Signature FOUND



----------- SCAN SUMMARY -----------

Known viruses: 6849330

Engine version: 0.99.3

Scanned directories: 0

Scanned files: 1

Infected files: 1

Data scanned: 0.00 MB

Data read: 0.00 MB (ratio 0.00:1)

Time: 24.197 sec (0 m 24 s)

If this works for you (which I'm almost positive it will), you should focus on your setup...


Is your proxy in active or passive mode
Are you downloading from http or https
Do you have antmalware scanning enabled
Content filter policy group of the client
Bypass/whitelist rules
etc.

I pinged a dev for help, but I'm not sure if he has time to help.

Here the documentation of Gateway antivirus.

https://www.clearos.com/resources/documentation/clearos/content:en_us:7_ug_antivirus

I read the documentation but I didn't found anything interesting.

Maybe this file is not triggering the antivirus app..

Edit: I see ClamAV is already mentioned in the first post. Overlooked...

ah, found it.

The module name is "ClamAV" and on my system it's running.

[root@voyager ~]# systemctl status clamd 

● clamd.service - ClamAV daemon

   Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset: disabled)

   Active: active (running) since Wed 2018-06-27 18:15:48 CEST; 2h 4min ago

  Process: 748 ExecStart=/usr/sbin/clamd (code=exited, status=0/SUCCESS)

 Main PID: 2318 (clamd)

   CGroup: /system.slice/clamd.service

           └─2318 /usr/sbin/clamd



Jun 27 18:15:34 voyager.xxxxxxxx.xx systemd[1]: Starting ClamAV daemon...

Jun 27 18:15:48 voyager.xxxxxxxx.xx systemd[1]: Started ClamAV daemon.

Why has this service no start and stop button and why I don't see it in the "Services" tab?

Is this service running? There is no stop or start button. What is the module name of this service?

I'm still looking for troubleshooting process. I need a permanent fixation for it, I cannot use K7 Antivirus forever as an alternative option.