Virus Scanning through HTTP Web Traffic with Dansguardian & ClamAV

jomy · 12-07-2005, 04:20 AM

Hi,

I'm trying to scan for viruses during http web traffic and viruses that comes through mail through my RHEL ES 3.

I installed Clamav from clamav-0.87.1.tar.gz . It was installed in /usr/local/etc .My mailserver is postfix. I added the necessary entries in Postfix and Mailscanner to scan for viruses through mail. It is working perfectly fine and I've no problem with that.

My problem starts when I try to scan http web traffic for viruses. Let me explain what I've done to scan for http web traffic:.

I installed Dansguardian with ClamAV plugin from Dansguardian-2.9.2.0.tar.gz. as my content scanner .I configured it with the command :

./configure –sysconfdir=/etc –enable-clamd=yes option.

Squid is my proxy server. Dansguardian uses port 8080 and squid is configured on port 3128. Client browsers are configured to access internet through port 8080 . ie, Client ==>DG==>Squid==>ISP. Upto this everything works fine. I can block certain sites, urls,extensions,mimetypes etc... through the files in /etc/dansguardin/lists. Internet browsing also works fine upto here.

Now I changed my /etc/dansguardin/dansguardian.conf to scan http web traffic for viruses. I uncommented the line :

contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf '

to enable content scanning on html pages for viruses.

And in /etc/dansguardian/contentscanners/clamdscan.conf ,

I changed the line ,

clamduds file = '/var/run/clamav/clamd.sock '

to

clamduds file = '/tmp/clamd '

( I assume this is correct . If I don't change that I get error)

I restarted dansguardian , and tried to access internet . But to whatever pages I'm trying to access , I get the “Access Denied” Message from Dansguardian with the Reason :

WARNING : Could Not Perform Virus Scan !

Categories

Content Scanning

I get the following message in /var/log/messages

ScanFile/Memory returned error : -1

The result I'm looking for is to get a Virus warning message when I try to execute or download a virus from HTML Pages

Waiting for your valued suggestions & solutions

Regards,

Jomy

unSpawn · 12-09-2005, 06:43 PM

ScanFile/Memory returned error : -1
That isn't much information to work with. Please check if you configured any and all apps involved right and if they can be ran in debug mode. If that's possible i'tll probably provide much more information at the expense of filling up your logs like there's no tomorrow, so keep the period running debug mode short.

jomy · 12-11-2005, 06:21 AM

Hi,

I suspect this to be the problem with socket . I was using Local Unix Socket /tmp/clamd and I could see the following error in /tmp/clamd.log:

ERROR Connecting to Clamd Socket

Now I'm using TCP Socket instead of Local Socket and did the following changes in clamd.conf

TCPSocket 3310
TCPAddr 127.0.0.1

Now I find difficulty in configuring /usr/loca/etc/dansguardian/dansguardian/clamdscan.conf ( clamdscan is my content scanner) where there is an option like this.

# Edit this to match the Location of your Local Unix Socket
# clamdudsfile = '/var/run/clamav/clamd.sock'

Since I'm using TCP Socket instaed of Local Unix Socket , how can I configure my clamdscan.conf file so that it can be bound to TCPSocket 3310.

Your help is very much appreciated.

Jomy

unSpawn · 12-14-2005, 12:06 PM

I have *no* idea. Maybe try the Dansguardian or ClamAV FAQ or mailinglist.