OPNsense – Transparent Caching Filtering Proxy with Virus Scanning – Step 2 CentOS Install ClamAV

This is a pretty long guide, even before I added images, so it is broken it into sections. I hope it is easy to follow; if you find any errors, please Contact us!

Step 2 – Install and configure ClamAV and SquidClamAV on CentOS 7 x64

Much of this was provided with the help of these two guides: Install Clam and Install SquidClamav

  1. These should already be installed, but just in case, install build tools for building the c_icap and squidclamav packages:
    yum -y install gcc make
  2. Install ClamAV:
    yum –enablerepo=epel -y install clamav clamav-update clamav-scanner clamav-scanner-systemd
  3. Comment out the word Example on line 8 by adding a # in front of Example:
    nano /etc/freshclam.conf
  4. Run freshclam in order to update the Clam AV databases:

    1. NOTE: If you get errors that freshclam cannot download updates, delete the mirrors.dat file using this command and then try again:
      rm /var/lib/clamav/mirrors.dat
  5. Make sure you are in your Home directory and download a test virus (assuming your username is user1) Also, if the test file downloads properly, it should be 68 bytes, which I mention because your firewall may block it:
    cd /home/user1
    curl -O http://www.eicar.org/download/eicar.com
  6. Test clam using this command:
    clamscan –infected –remove –recursive /home
    You should get this output:
    /home/user1/eicar.com: Eicar-Test-Signature FOUND
    /home/user1/eicar.com: Removed.

  7. Configure clamd.d scan:
    nano /etc/clamd.d/scan.conf

    1. Comment out line 8:

    2. Uncomment line 14:
      LogFile /var/log/clamd.scan
    3. Uncomment line 66:
      PidFile /var/run/clamd.scan/clamd.pid
    4. Uncomment line 70:
      TemporaryDirectory /var/tmp
    5. Uncomment line 85:
      LocalSocket /var/run/clamd.scan/clamd.sock
    6. Uncomment line 101:
      TCPSocket 3310
    7. Save and exit the file
  8. Create the file /var/log/clamd.scan and set ownership:
    touch /var/log/clamd.scan
    chown clamscan. /var/log/clamd.scan
  9. Start the clamd service and set it to auto-start:
    systemctl start clamd@scan
    systemctl enable clamd@scan
  10. Install c-icap
    1. Download the file:
      curl -L -O http://downloads.sourceforge.net/project/c-icap/c-icap/0.4.x/c_icap-0.4.2.tar.gz
    2. Extract, change directory, configure, make, make install, change directory, and copy the folder by running these commands, one at a time:
      tar zxvf c_icap-0.4.2.tar.gz 
      cd c_icap-0.4.2
      make install
      cp /usr/local/etc/c-icap.conf /etc
  11. Edit the config for c-icap:
    nano /etc/c-icap.conf

    1. On line 161 change admin email address for your site:
      ServerAdmin noreply@tcptechs.com
    2. On line 170 change computer hostname to valid DNS address for this PC (you should also create an internal DNS entry for this):
      ServerName proxy.tg.local
    3. On line 568 add this:
      Service squidclamav squidclamav.so
    4. Save and exit the config file
  12. Create new file at /etc/tmpfiles.d/c-icap.conf:
    nano /etc/tmpfiles.d/c-icap.conf
    Enter this text in the file:
    d /var/run/c-icap 0755 root root –
  13. Create new file at /usr/lib/systemd/system/c-icap.service:
    nano /usr/lib/systemd/system/c-icap.service
    Enter this text in the file:
    Description=c-icap service
    ExecStart=/usr/local/bin/c-icap -f /etc/c-icap.conf
  14. Install squidclamav (the Clam component that works with c-icap)
    1. Download the file:
      curl -L -O http://downloads.sourceforge.net/project/squidclamav/squidclamav/6.14/squidclamav-6.14.tar.gz
    2. Run these commands to extract, cd, configure, make, make install, cd, and link the file by running these commands one at a time:
      tar zxvf squidclamav-6.14.tar.gz
      cd squidclamav-6.14
      ./configure –with-c-icap
      make install
      ln -s /usr/local/etc/squidclamav.conf /etc/squidclamav.conf
  15. Configure squidclamav:
    nano /etc/squidclamav.conf

    1. On line 18 change the URL for the Virus Error page. This is the same error page we created above. In this case I have an internal DNS A record for proxy which points to this server:
      redirect http://proxy.tg.local/error.php
    2. On line 27 change it from “clamd_local /var/run/clamav/clamd.ctl” to:
      clamd_local /var/run/clamd.scan/clamd.sock
    3. Save and exit the file.
      NOTE: If you make changes to this file after starting the service, run the below commands to apply the settings:
      echo -n “squidclamav:cfgreload” > /var/run/c-icap/c-icap.ctl
      echo -n “reconfigure” > /var/run/c-icap/c-icap.ctl
  16. Start the c-icap service and set it to auto-start:
    systemctl start c-icap
    systemctl enable c-icap
  17. Test:
    c-icap-client -i
    This should output information about the i-cap service.
  18. Test 2 – Download the eicar.com file again with the below command and then run the command below that. You should get output similar to the first line of the above test:
    curl -O http://www.eicar.org/download/eicar.com
    c-icap-client -s squidclamav -f eicar.com -i
  19. Test 3 – If you are getting errors, you can try running this command and see if it gives an error:
    c-icap -N -D -d 10
  20. If you are having issues, check the logs, and check the status of the services to make sure they are running:
    tail /var/log/clamd.scan
    tail /usr/local/var/log/server.log
    systemctl status clamd@scan
    systemctl status c-icap

We have completed Step 2.


Tagged with: , ,