5. Virus scanning with SquidClamav

SquidClamav is a ClamAV antivirus redirector for Squid. It will help us filter out malicious software from web traffic.

5.1 Installation

We already covered the installation procedure of the Clam AntiVirus in a previous document, so we won't dwell on this topic now and proceed directly to the installation of SquidClamav. We will assume that ClamAV resides on the same machine as Squid, though you may wish to create a separate antivirus server, possibly serving both the cache and the mail server.

SquidClamav relies on the cURL library to download the files to scan, so we need to add the following packages first:

Then we can download, extract and compile the SquidClamav tarball:

$ tar -zxvf squidclamav-x.x.tar.gz
[...]
$ cd squidclamav-x.x
$ env LDFLAGS=-L/usr/local/lib/ CPPFLAGS=-I/usr/local/include/ ./configure
[...]
$ make
[...]
$ su
Password:
# make install
[ ... ]
# cp etc/squidclamav.conf /etc/
# touch /var/log/squidclamav.log
# chown _squid /var/log/squidclamav.log

5.2 Configuration

The configuration file is /etc/squidclamav.conf; one of the best points of SquidClamav is its ability to natively co-operate with SquidGuard (or any other redirector, specified in the squidguard directive), by calling it before any further processing of the HTTP request.

By default, SquidClamav will scan all downloaded files, but you can save system resources and improve performance by specifying a series of domains, users and clients (using the whitelist, trustuser and trustclient directives respectively) for which you want to skip both virus scanning and the call to the chained redirector. E.g.:

# Disable redirector and virus scanning for files from kernel-panic.it
whitelist     .*\.kernel-panic\.it

# Disable redirector and virus scanning for requests from a specific user
trustuser     administrator

# Disable redirector and virus scanning for requests from specific clients
trustclient   ^172\.16\.0\..*$
trustclient   ^mypc\.lan\.kernel-panic.it$

SquidClamav also allows you to disable virus scanning (but not the call to the chained redirector) based on regular expressions matching the URL string (abort directive) or the Content-Type of the response (abortcontent directive); both directives are case-insensitive. E.g.:

# Disable virus scanning for .png, .gif and .jpg images and documents from
# squid-cache.org
abort \.squid-cache\.org
abort .*\.(png|gif|jpg)$

# Disable virus scanning for images and flash videos
abortcontent ^image\/.*$
abortcontent ^video\/x-flv$

Below is a sample configuration file:

/etc/squidclamav.conf
# IP address and port of the Squid proxy
squid_ip      127.0.0.1
squid_port    3128

# Path to the log file
logfile       /var/log/squidclamav.log

# URL where to redirect a request when a virus is found. SquidClamav will
# append the original URL, virus name, source IP and user the to this URL
redirect      http://www.kernel-panic.it/viruswarn.php

# Disable virus scanning if the requested file hits squid cache
trust_cache   1

# Timeout when downloading files
timeout       60

# Set this to '1' for more verbose logging
debug         0

# Set this to '1' to force virus scan of URLs whose content-type can't be
# determined by libcurl
force         1

# Set this to '1' to show time statistics of URL processing
stat          0

# Don't follow more than 10 redirects
maxredir      10

# Uncomment to disable virus scanning for files bigger than the specified
# size (in bytes)
# maxsize      2000000

# Uncomment to make cURL pretend to be Internet Explorer
#useragent     Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

# IP address and port of the clamd daemon; you can specify up to 5
# (comma-separated) IPs for failover
clamd_ip      127.0.0.1
clamd_port    3310
# Uncomment if you're using the unix socket to communicate with clamd
#clamd_local   /tmp/clamd

# Check rules
abort         ^.*\.(ico|gif|png|jpg)$
abortcontent  ^image\/.*$
abort         ^.*\.(css|xml|xsl|js|html|jsp)$
abortcontent  ^text\/.*$
abortcontent  ^application\/x-javascript$
abortcontent  ^video\/mp4$
abortcontent  ^video\/x-flv$
abort         ^.*\.(pdf|swf)$
whitelist     .*\.kernel-panic\.it

# Call another redirector (usually squidGuard) before the antivirus scanner
squidguard    /usr/local/bin/squidGuard

Now we only have to modify the value of the url_rewrite_program parameter in Squid's configuration file:

/etc/squid/squid.conf
url_rewrite_program  /usr/local/bin/squidclamav

and reload Squid.

# squid -k reconfigure

Note: to scan a file, SquidClamav needs to download it first; so make sure your Squid ACLs allow localhost to access the web:

/etc/squid/squid.conf
http_access allow localhost

You can check that everything is working fine by trying to download the Eicar anti-virus test file. In the log file, you should get something like:

/var/log/squidclamav.log
[...]
Fri May 15 19:26:49 2009 [29028] DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND
Fri May 15 19:26:49 2009 [29028] LOG Redirecting URL to: http://www.kernel-panic.it/viruswarn.php?
url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.14/-&user=-&virus=stream:+
Eicar-Test-Signature+FOUND
Fri May 15 19:26:49 2009 [29028] DEBUG End reading clamd scan result.
Fri May 15 19:26:49 2009 [29028] DEBUG Virus found send redirection to Squid.