OPNsense – Transparent Caching Filtering Proxy with Virus Scanning – Step 2 CentOS Install ClamAV

This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us!

Step 2 – Install and configure ClamAV and SquidClamAV on CentOS 7 x64

Much of this was provided with the help of these two guides: Install Clam and Install SquidClamav

1. These should already be installed, but just in case, install build tools for building the c_icap and squidclamav packages:
   yum -y install gcc make
2. Install ClamAV:
   yum –enablerepo=epel -y install clamav clamav-update clamav-scanner clamav-scanner-systemd
   
3. Comment out the word Example on line 8 by adding a # in front of Example:
   nano /etc/freshclam.conf
   
4. Run freshclam in order to update the Clam AV databases:
   freshclam
   
   1. NOTE: If you get errors that freshclam cannot download updates, delete the mirrors.dat file using this command and then try again:
      rm /var/lib/clamav/mirrors.dat
5. Make sure you are in your Home directory and download a test virus (assuming your username is user1) Also, if the test file downloads properly, it should be 68 bytes, which I mention because your firewall may block it:
   cd /home/user1
   curl -O http://www.eicar.org/download/eicar.com
6. Test clam using this command:
   clamscan –infected –remove –recursive /home
   You should get this output:
   /home/user1/eicar.com: Eicar-Test-Signature FOUND
/home/user1/eicar.com: Removed.


7. Configure clamd.d scan:
   nano /etc/clamd.d/scan.conf
   1. Comment out line 8:
      #Example
      
      
   2. Uncomment line 14:
      LogFile /var/log/clamd.scan
   3. Uncomment line 66:
      PidFile /var/run/clamd.scan/clamd.pid
   4. Uncomment line 70:
      TemporaryDirectory /var/tmp
   5. Uncomment line 85:
      LocalSocket /var/run/clamd.scan/clamd.sock
   6. Uncomment line 101:
      TCPSocket 3310
   7. Save and exit the file
8. Create the file /var/log/clamd.scan and set ownership:
   touch /var/log/clamd.scan
   chown clamscan. /var/log/clamd.scan
9. Start the clamd service and set it to auto-start:
   systemctl start clamd@scan
   systemctl enable clamd@scan
10. Install c-icap
    1. Download the file:
       curl -L -O http://downloads.sourceforge.net/project/c-icap/c-icap/0.4.x/c_icap-0.4.2.tar.gz
    2. Extract, change directory, configure, make, make install, change directory, and copy the folder by running these commands, one at a time:
       tar zxvf c_icap-0.4.2.tar.gz 
       cd c_icap-0.4.2
       ./configure
       make
       make install
       cd
       cp /usr/local/etc/c-icap.conf /etc
11. Edit the config for c-icap:
    nano /etc/c-icap.conf
    1. On line 161 change admin email address for your site:
       ServerAdmin noreply@tcptechs.com
    2. On line 170 change computer hostname to valid DNS address for this PC (you should also create an internal DNS entry for this):
       ServerName proxy.tg.local
    3. On line 568 add this:
       Service squidclamav squidclamav.so
    4. Save and exit the config file
12. Create new file at /etc/tmpfiles.d/c-icap.conf:
    nano /etc/tmpfiles.d/c-icap.conf
    Enter this text in the file:
    d /var/run/c-icap 0755 root root –
13. Create new file at /usr/lib/systemd/system/c-icap.service:
    nano /usr/lib/systemd/system/c-icap.service
    Enter this text in the file:
    [Unit]
Description=c-icap service
After=network.target
[Service]
Type=forking
PIDFile=/var/run/c-icap/c-icap.pid
ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf
KillMode=process
[Install]
WantedBy=multi-user.target
14. Install squidclamav (the Clam component that works with c-icap)
    1. Download the file:
       curl -L -O http://downloads.sourceforge.net/project/squidclamav/squidclamav/6.14/squidclamav-6.14.tar.gz
    2. Run these commands to extract, cd, configure, make, make install, cd, and link the file by running these commands one at a time:
       tar zxvf squidclamav-6.14.tar.gz
       cd squidclamav-6.14
       ./configure –with-c-icap
       make
       make install
       cd
       ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf
15. Configure squidclamav:
    nano /etc/squidclamav.conf
    1. On line 18 change the URL for the Virus Error page. This is the same error page we created above. In this case I have an internal DNS A record for proxy which points to this server:
       redirect http://proxy.tg.local/error.php
    2. On line 27 change it from “clamd_local /var/run/clamav/clamd.ctl” to:
       clamd_local /var/run/clamd.scan/clamd.sock
    3. Save and exit the file.
       NOTE: If you make changes to this file after starting the service, run the below commands to apply the settings:
       echo -n “squidclamav:cfgreload” > /var/run/c-icap/c-icap.ctl
       echo -n “reconfigure” > /var/run/c-icap/c-icap.ctl
16. Start the c-icap service and set it to auto-start:
    systemctl start c-icap
    systemctl enable c-icap
17. Test:
    c-icap-client -i 127.0.0.1
    This should output information about the i-cap service.
    
18. Test 2 – Download the eicar.com file again with the below command and then run the command below that. You should get output similar to the first line of the above test:
    curl -O http://www.eicar.org/download/eicar.com
    c-icap-client -s squidclamav -f eicar.com -i 127.0.0.1
    
19. Test 3 – If you are getting errors, you can try running this command and see if it gives an error:
    c-icap -N -D -d 10
20. If you are having issues, check the logs, and check the status of the services to make sure they are running:
    tail /var/log/clamd.scan
    tail /usr/local/var/log/server.log
    systemctl status clamd@scan
    systemctl status c-icap
    

We have completed Step 2.