e2guardian and drweb-icapd

[Евгений Васильев]

Hi people!

I have some news about compatibility testing of e2guardian's icap content scanner and drweb for internet gateways (drweb-icapd).

1) You can download fresh beta of drweb for internet gateways for linux at beta.drweb.com. Click on "File Area". Next step - you can register or enter as unregistered user, next click on "unix" folder, et voila!

drweb-internet-gateways_11.1.0-1812251703~linux_amd64.run

Test key is in "key" folder

2) I've successfully installed this beta, built e2guardian from source at my PC with Debian-based distro and configured both drweb and e2guardian (ssl mitm, icap etc).

3) The only problem I see right now is that e2guardian returns page with no details on detected virus, like this: "Category: Content scanning   Virus or bad content detected. Unknown"

Can someone test it and help me to find a way to get a name of virus signature, like "eicar" instead of just "Unknown"?

[FredB]

Hi,

Can you try in debug mode and post the result somewhere ?

[Евгений Васильев]

e2guardian version 5.2.2

my icapscan.conf:

plugname = 'icapscan'

# ICAP URL
# Use hostname rather than IP address
# Always specify the port
#
icapurl = 'icap://localhost:1344/respmod'

[Евгений Васильев]

Yes, I can do it on Monday, pls give me info how to run e2g in debug mode

пт, 18 янв. 2019 г., 18:40 Евгений Васильев rusb...@gmail.com:

--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To post to this group, send email to e2gua...@googlegroups.com.
Visit this group at https://groups.google.com/group/e2guardian.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/3d4e5852-acec-4dc6-ae31-adeb2ac9ea63%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[FredB]

Compilation with option '--with-dgdebug=on' and running with ./e2guardian -N &> file
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma brièveté.

[Евгений Васильев]

/var/log/e2guardian/debuge2 and /var/opt/drweb.com/log/icap.log zipped log files attached

[Евгений Васильев]

Previous log files was made before recompilation.

Next step I run

./configure --build=x86_64-linux-gnu --includedir=${prefix}/include --disable-silent-rules --libdir=${prefix}/lib/x86_
64-linux-gnu --libexecdir=${prefix}/lib/x86_64-linux-gnu --disable-dependency-tracking --prefix=/usr/local --enable-clamav=no --enable-clamd=no --with-proxyuser=e2guardian --with-proxygrou
p=e2guardian --sysconfdir=/etc --localstatedir=/var --enable-icap=yes --enable-commandline=yes --enable-email=yes --enable-ntlm=yes --enable-trickledm=yes --enable-sslmitm=yes --enable-pcr
e=yes --enable-icap=yes --mandir=${prefix}/share/man --with-dgdebug=on
then make && make install

/usr/local/sbin -c /etc/e2guardian/e2guardian.con -N &>e2g-debug-5.log

New logs attached

[FredB]

Ok can you try this

In e2guardian.conf add debuglevel = 'ICAP' and debuglevelfile = '/tmp/icap-e2.txt'

restart e2 , test, and publish the result

[Евгений Васильев]

If i set debuglevel just 'ICAP' then my icap-e2.txt is empty

So to get any records in icap-e2.txt I set

debuglevel='ICAP, ICAPC'

Zipped icap-e2.txt attached

As far as I understand e2guardian acts as ICAP client when connecting to drweb-icapd

If I uncomment icapport=1344 and start e2guardian, it fails, due to e2fuardian attempt to work as ICAP server and use the same 1344 port as drweb-icapd

So i kept icapport commented, is it OK?

[Евгений Васильев]

According to drweb Administrator's manual Squid is supported, but nothing about e2guardian;)

Squid should be configured to use both reqmod and respmod like this:

For Squid 3.2 and later versions

#1
icap_enable on
 
#2
icap_service i_req reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
icap_service i_res respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
 
adaptation_access i_req allow all
adaptation_access i_res allow all
 
#3
icap_preview_enable on
icap_preview_size 0
 
#4 (In Squid 3.2, the icap_send_client_ip and icap_send_client_username parameters have been renamed)
adaptation_send_client_ip on
adaptation_send_username on
 
#5
icap_persistent_connections on

Can I modify e2guardian settings to make it work "squid-like", the way drweb-icapd expects?

I can attach the whole drweb admin guide in PDF here, if necessary

[FredB]

Yes sorry, ICAPC of course

[FredB]

Can you test the latest vbpcgi branch please, I made some changes

Do you have a contact with drweb, I found a potential minor bug

[Евгений Васильев]

Yes, I have contact with drweb and can send bug report to their bug tracker.

In fact, anyone can register at https://bugs.drweb.com and report bugs for this public beta.

The problem is I cannot compile this branch on my PC:

first i created new directory

mkdir ~/build/e2guardian.new

then cd to it

then

git clone -b v5.2bpcgi --single-branch https://github.com/e2guardian/e2guardian.git

then ./configure with parameters you can see at this thread earlyer (I've taken them with previous sources from packages.debian.org, not from github, with addition of dgdebug parameter).

Confirure done OK

then

make gives me this:

...

g++ -DHAVE_CONFIG_H -I. -I..  -D__CONFFILE='"/etc/e2guardian/e2guardian.conf"' -D__LOGLOCATION='"/var/log/e2guardian/"' -D__PIDDIR='"/var/run"' -D__PROXYUSER='"e2guardian"' -D__PROXYGROUP='"e2guardian"' -D__CONFDIR='"/etc/e2guardian"'     -g -O2 --std=c++11  -DFD_SETSIZE=65535 -c -o contentscanners/e2guardian-icapscan.o `test -f 'contentscanners/icapscan.cpp' || echo './'`contentscanners/icapscan.cpp
contentscanners/icapscan.cpp: In member function 'virtual int icapinstance::init(void*)':
contentscanners/icapscan.cpp:214:9: error: expected 'catch' before 'icapsock'
         icapsock.close();
         ^~~~~~~~
contentscanners/icapscan.cpp:214:9: error: expected '(' before 'icapsock'
contentscanners/icapscan.cpp:214:9: error: 'icapsock' does not name a type
contentscanners/icapscan.cpp:214:17: error: expected ')' before '.' token
         icapsock.close();
                 ^
contentscanners/icapscan.cpp:214:17: error: expected '{' before '.' token
contentscanners/icapscan.cpp:214:17: error: expected primary-expression before '.' token
contentscanners/icapscan.cpp: At global scope:
contentscanners/icapscan.cpp:215:7: error: expected unqualified-id before 'catch'
     } catch (std::exception &e) {
       ^~~~~
contentscanners/icapscan.cpp:223:9: error: expected unqualified-id before 'if'
         if(o.myDebug->ICAPC)
         ^~
Makefile:1229: recipe for target 'contentscanners/e2guardian-icapscan.o' failed
make[2]: *** [contentscanners/e2guardian-icapscan.o] Error 1
make[2]: Leaving directory '/home/user/build/e2guardian/e2guardian.new/e2guardian/src'
Makefile:400: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/home/user/build/e2guardian/e2guardian.new/e2guardian'
Makefile:341: recipe for target 'all' failed
make: *** [all] Error 2

[FredB]

Yes sorry, stupid copy/paste, fixed now

[Евгений Васильев]

Ok, I see. Pulled latest updates from this branch.

Configured OK. make && make install - OK.

When I'm trying to open in my browser eicar or web-page with injected monero miner, e2guardian returns:

Category: Content scanning   Virus or bad content detected. EICAR Test File (NOT a Virus!)  - on eicar

Category: Content scanning   Virus or bad content detected. JS.Miner.11 - on page with miner

Now it looks like what I wanted, Thanks

[FredB]

Ok so there is a "bug" in drweb

From the first exchange between drweb and E2Guardian the header
X-Infection-Found is missing

"1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: X-Include:
X-Client-IP, X-Server-IP" should be "1548159344 ICAPC debug : ICAP/1.0
OPTIONS response part: X-Include: X-Client-IP, X-Server-IP,
X-Infection-Found"

After that E2guardian doesn't knows how to find the virus name, maybe we
should always search this header used by some AV

E2guardian debug:

1548159344 ICAPC debug : ICAP server is 127.0.0.1

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response: ICAP/1.0 200 OK

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Allow: 204

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Connection:
keep-alive

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Encapsulated:
null-body=0

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: ISTag: "154815934"

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Methods: RESPMOD

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Options-TTL: 60

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Preview: 0

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Service: Dr.Web
ICAPD 11.1.0.1812242330

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: Transfer-Preview: *

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part: X-Include:
X-Client-IP, X-Server-IP

1548159344 ICAPC debug : ICAP/1.0 OPTIONS response part:

[Евгений Васильев]

posted bug here: https://bugs.drweb.com/view.php?id=154404

Bug description is in Russian, btw, because the developers are Russians, obviously)))

Waiting for reaction