e2guardian AV scanning

[marius...@gmail.com]

Hi,

Thank you for your excellent work.

I've installed e2guardian and the avast AV on a Centos 6 system.

I wanted to test only the AV filtering capabilities, so I deactivated all the other filters (I've emptied the files in the lists directory).

The result were strange and mixed. It take a long time until I found an infected pdf file which was suitable to demonstrate me that the AV is really doing it's job. In the access.log file appeard an INFECTED label. HUrraaa !!!

Unfortunately it was a singular event. I've downloaded a lot of little .exe, .com and .zip files (some of which were infected). Unfortunately it seems that they were not even scanned as they do not appeared in the access.log file. Needless to say that I've had no problem in downloading the infamous eicar test file also.
(https://www.f-secure.com/v-descs/eicar.shtml, http://www.eicar.org/86-0-Intended-use.html)

Strangely enough the problem is not the same if the downloaded file is big, so it seems that is somehow connected with the downloadmanager.

Please, could somebody confirm this behaviour ? Or am I missing something ?

I've tested this behaviour with e2guardian 3.1.2, a development version from 17.05.2015 and even in dansguardian.

Best regards,
Marius

[num...@free.fr]

Hi,

Can you show your avastdscan.conf, please

/etc/e2guardian/contentscanners/avastdscan.conf

Fred

[marius...@gmail.com]

Hi,

I've tried in 2 variants. One with the avastdscan and one with commandlinescan.

The results were the same.

The avastprotocol must be avast2014 since with avast4 is not working anymore.

The content of the avastdscan.conf is:

plugname = 'avastdscan'

# edit this to match the location of your AvastD UNIX domain socket
#avastdudsfile = '/var/run/avast4/local.sock'
avastdudsfile = '/var/run/avast/scan.sock'

# edit this to block unscannable files (e.g. encrypted archives)
#archivewarn = off

#Specify the version of avast protocol. It Must be 'avast4' or 'avast2014'
#default is avast4 for compatibility
avastprotocol = 'avast2014'

exceptionvirusmimetypelist = '/etc/e2guardian/lists/contentscanners/exceptionvirusmimetypelist'
exceptionvirusextensionlist = '/etc/e2guardian/lists/contentscanners/exceptionvirusextensionlist'
exceptionvirussitelist = '/etc/e2guardian/lists/contentscanners/exceptionvirussitelist'
exceptionvirusurllist = '/etc/e2guardian/lists/contentscanners/exceptionvirusurllist'



The content of the commandlinescan.conf is:

plugname = 'commandlinescan'

# Standard lists of file types & websites not to scan
exceptionvirusmimetypelist = '/etc/e2guardian/lists/contentscanners/exceptionvirusmimetypelist'
exceptionvirusextensionlist = '/etc/e2guardian/lists/contentscanners/exceptionvirusextensionlist'
exceptionvirussitelist = '/etc/e2guardian/lists/contentscanners/exceptionvirussitelist'
exceptionvirusurllist = '/etc/e2guardian/lists/contentscanners/exceptionvirusurllist'

# Program to run & initial arguments - filename for scanning will be appended
#progname = /path/to/scanner
progname = /bin/scan

# At least one of the following three options must be defined!
# They are checked in the following order, with the first match determining
# the scan result:
# virusregexp - regular expression for extracting virus names from
# the scanner's output
# cleancodes - program return code(s), as a comma-separated list, for
# uninfected files
# infectedcodes - program return code(s), as a comma-separated list, for
# infected files

#virusregexp = (someregexp)

# Which submatch of the above contains the virus name? (0 = all matched text)
#submatch = 1

# cleancodes = 0
# infectedcodes = 1,2,3

cleancodes = 0
infectedcodes = 1

# Default result when none of the other options triggers a match
# Valid values are "infected" and "clean"
#defaultresult = infected

defaultresult = infected

TIA,
Marius

[num...@free.fr]

Are you using Squid like proxy ? Do you have a link with a "wrong" object

[marius...@gmail.com]

Yes, I'm using squid.

A link could be https://www.f-secure.com/v-descs/eicar.shtm.

But it does not matter too much. The problem is that if I'm choosing to download a small file (couple mega), the file does not reach the scanner. And this is 100% sure. It does not matter that the file contain a virus or not.

Another example could be a documentation in pdf format viewed online. My feeling is that it does not reach the scanner either.

The problem is with everything that is downloaded somehow...

The question is why is this happening ? A config problem ? A software problem ?

[num...@free.fr]

| A link could be https://www.f-secure.com/v-descs/eicar.shtm.

HTTPS ? Are you using SSLMITM or not ?

| But it does not matter too much. The problem is that if I'm choosing to download a small file (couple mega), the file does not reach the scanner. And this is 100% sure. It does not
| matter that the file contain a virus or not.

Yes SSL can't be analysed, without breaking the security, this is not related with E2, dansguardian, or any proprietary software.

[marius...@gmail.com]

No I'm not using SSLMITM (I've tried it but I've had problems with it, but that is another thread).

As I stated before please try to download some file from let's say www.tucows.com or from a ftp server or a online documentation. You will not find in the logs the pdf file itself, the exe file itself.

[num...@free.fr]

| No I'm not using SSLMITM (I've tried it but I've had problems with it, but that is another thread).

Ok thanks, so this is a normal behaviour for some files

| As I stated before please try to download some file from let's say www.tucows.com or from a ftp server or a online documentation. You will not find in the logs the pdf file itself, the exe file itself.

Ok, I will make a test later (I haven't avast2014 here)
There is a plugin or a redirector for Squid ? If yes, maybe you can just make a try without E2 (squid alone) to validate the communication proxy -> Avast

Please, can you provide some lines from squid's log with a PDF or EXE not scanned by avast

[marius...@gmail.com]

Thank you for your patience !!!

Well I do not think that this is an avast connector problem. It does not work with commandlinescan either, which is product independent.

An example: in the squid access.log I have:

1432116497.751 1264 127.0.0.1 TCP_MISS/200 149150 GET http://www.stata.com/manuals14/fndateandtimefunctions.pdf - DIRECT/66.76.6.5 application/pdf

1432116506.396 181147 127.0.0.1 TCP_MISS/200 92371 CONNECT cdn.mathjax.org:443 - DIRECT/162.159.241.204

In the e2guardian access log I have: NOTHING.

[num...@free.fr]

| 1432116497.751 1264 127.0.0.1 TCP_MISS/200 149150 GET http://www.stata.com/manuals14/fndateandtimefunctions.pdf - DIRECT/66.76.6.5 application/pdf

This one should be scanned

| 1432116506.396 181147 127.0.0.1 TCP_MISS/200 92371 CONNECT cdn.mathjax.org:443 - DIRECT/162.159.241.204

Ok, SSL so "transparent" for E2 and Avast

| In the e2guardian access log I have: NOTHING.

Be carreful, you should have something only when a virus is found, or try with loglevel = 3 in e2guardian.conf (but you will see all the requests virus or not)
Do you have a debug mode with avast (or a full log) to see the files scanned and the files not scanned ?

[marius...@gmail.com]

It does not reach the antivirus, that's for sure.

That was my initial complain (if you remember).

Could you please test on your system my statements ?

Again, IMHO that has nothing to do with the antivirus software.

[neri...@gmail.com]

Does it work the same if you use clamav instead of avast with e2guardian?

[marius...@gmail.com]

If I raised the loglevel to 3 all the files appeared automagically in the log files.

Unfortunately I didn't find a setting to enable the log level of the AV. That could be the perfect cross-verification.

At the moment I hope that the case could be considered close.

Other problem: do you have a sslmitm variant of e2guardian that is working ?

I've tried a dev version from 17.05.2015 but I'm receiving in the log file constantly "denied - Certificate supplied by server was not valid: unable to get local issuer certificate"

[marius...@gmail.com]

Hi,

Do you have a working variant of e2guardian with the sslmitm option enabled ?

TIA

On Wednesday, May 20, 2015 at 2:02:29 PM UTC+3, FredB wrote:

[Philip Pearce]

The sslmitm option does work in latest develop version.

The message "denied - Certificate supplied by server was not valid: unable to get local issuer certificate" does not indicate a bug in e2guardian.   It shows that either the certificate supplied by the target server was invalid or that the SSL cert store on your system does not have the issuer's root CA certificate loaded.   You need to make sure you have the latest openSSL cert bundle installed on your system when running sslmitm.

You can test if that is the case by retrieving the url with wget - it should also return an error.

If the you keep getting the error after you have updated your cert bundle, then you could try with the e2guardian mitmcheckcert option switched off, not recommended for production use but useful for testing.

Regards
Philip Pearce

---