HAVP + ClamAV непонятно, ловит ли вирусы.

[Gigazo1d]

Здравствуйте!

Есть Ubuntu 16.04.04, стоит squid+havp+ClamAV. Стоит эта система с декабря 2017 года, периодически смотрю логи ClamAV var/log/clamav/clamav.log, там инфа только о том, что с базами все путем и Eicar прошло проверку успешно. Тем самым, у пользователей на компьютерах периодически нахожу вирусы. Понимаю, что ClamAV антивирус бесплатный и по мнению многих малоэффективный, но это антивирус и хоть как-то он должен работать) Находил в интернете идентичную тему, но там суть разговора ушла в другое русло и ответа на вопрос я не нашел. Конфиги havp и clamav прикладываю.

UPD: Тест Eicar прохожу успешно, havp блокирует файл.

(Нажмите, чтобы показать/скрыть)

Код: [Выделить]

#
# This is the configuration file for HAVP
#
# Default:
 USER havp
 GROUP clamav

# If this is true HAVP is running as daemon in background.
# For testing you may run HAVP at your text console.
#
# Default:
# DAEMON true

#
# Process id (PID) of the main HAVP process is written to this file.
# Be sure that it is writeable by the user under which HAVP is running.
# /etc/init.d/havp script requires this to work.
#
# Default:
# PIDFILE /var/run/havp/havp.pid

#
# For performance reasons several instances of HAVP have to run.
# Specify how many servers (child processes) are simultaneously
# listening on port PORT for a connection. Minimum value should be
# the peak requests-per-second expected + 5 for headroom. For best
# performance, you should have atleast 1 CPU core per 16 processes.
#
# For single user home use, 8 should be minimum.
# For 500+ users corporate use, start at 40.
#
# Value can and should be higher than recommended. Memory and
# CPU usage is only affected by the number of concurrent requests.
#
# More childs are automatically created when needed, up to MAXSERVERS.
#
# Default:
 SERVERNUMBER 15
 MAXSERVERS 60

#
# Files where to log requests and info/errors.
# Needs to have write permission for HAVP user.
#
# Default:
 ACCESSLOG /var/log/havp/access.log
 ERRORLOG /var/log/havp/havp.log
# VIRUSLOG (same as ACCESSLOG)

#
# Format for timestamps in logfile messages.
# See: man strftime
#
# Default:
# TIMEFORMAT %d/%m/%Y %H:%M:%S

#
# Syslog can be used instead of logging to file.
# For facilities and levels, see "man syslog".
#
# Default:
# USESYSLOG false
# SYSLOGNAME havp
# SYSLOGFACILITY daemon
# SYSLOGLEVEL info
# SYSLOGVIRUSLEVEL warning

#
# true: Log every request to access log
# false: Log only viruses to access log
#
# Default:
 LOG_OKS true

#
# Level of HAVP logging
#  0 = Only serious errors and information
#  1 = Less interesting information is included
#
# Default:
# LOGLEVEL 0

#
# Temporary scan file.
# This file must reside on a partition for which mandatory
# locking is enabled. For Linux, use "-o mand" in mount command.
# See "man mount" for details. Solaris does not need any special
# steps, it works directly.
#
# Specify absolute path to a file which name must contain "XXXXXX".
# These characters are used by system to create unique named files.
#
# Default:
 SCANTEMPFILE /var/spool/havp/havp-XXXXXX

#
# Directory for ClamAV and other scanner created tempfiles.
# Needs to be writable by HAVP user. Use ramdisk for best performance.
#
# Default:
# TEMPDIR /var/tmp

#
# HAVP reloads scanners virus database by receiving a signal
# (send SIGHUP to PID from PIDFILE, see "man kill") or after
# a specified period of time. Specify here the number of
# minutes to wait for reloading.
#
# This only affects library scanners (clamlib, trophie).
# Other scanners must be updated manually.
#
# Default:
# DBRELOAD 60

#
# Run HAVP as transparent Proxy?
#
# If you don't know what this means read the mini-howto
# TransparentProxy written by Daniel Kiracofe.
# (e.g.: http://www.tldp.org/HOWTO/TransparentProxy.html)
# Definitely you have more to do than setting this to true.
# You are warned!
#
# Default:
# TRANSPARENT false

#
# Specify a parent proxy (e.g. Squid) HAVP should use.
# If needed, user and password authentication can be used,
# but only Basic-authentication scheme is supported.
#
# Default: NONE
# PARENTPROXY localhost
# PARENTPORT 3128
# PARENTUSER username
# PARENTPASSWORD password

#
# Write X-Forwarded-For: to log instead of connecters IP?
#
# If HAVP is used as parent proxy by some other proxy, this allows
# to write the real users IP to log, instead of proxy IP.
#
# Default:
# FORWARDED_IP false

#
# Send X-Forwarded-For: header to servers?
#
# If client sent this header, FORWARDED_IP setting defines the value,
# then it is passed on. You might want to keep this disabled for security
# reasons. Enable this if you use your own parent proxy after HAVP, so it
# will see the original client IP.
#
# Disabling this also disables Via: header generation.
#
# Default:
# X_FORWARDED_FOR false

#
# Port HAVP is listening on.
#
# Default:
 PORT 2005

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
 BIND_ADDRESS 127.0.0.1

#
# IP address used for sending outbound packets.
# Let it be undefined if you want OS to handle right address.
#
# Default: NONE
# SOURCE_ADDRESS 1.2.3.4

# SSLTIMEOUT - Number of seconds to wait for SSL timeout
#
# Default: 20
# SSLTIMEOUT 20

#
# Path to template files.
#
# Default:
 TEMPLATEPATH /etc/havp/templates/ru

#
# Set to true if you want to prefer Whitelist.
# If URL is Whitelisted, then Blacklist is ignored.
# Otherwise Blacklist is preferred.
#
# Default:
# WHITELISTFIRST true

#
# List of URLs not to scan.
#
# Default:
 WHITELIST /etc/havp/whitelist

#
# List of URLs that are denied access.
#
# Default:
 BLACKLIST /etc/havp/blacklist

#
# Is scanner error fatal?
#
# For example, archive types that are not supported by scanner
# may return error. Also if scanner has invalid pattern files etc.
#
# true: User gets error page
# false: No error is reported (viruses might not be detected)
#
# Default:
 FAILSCANERROR false
#
# Time in minutes!
#
# Default:
 SCANNERTIMEOUT 5

#
# Default:
 RANGE true
#
# Default:
# PRELOADZIPHEADER true
#
# Default:
 SCANIMAGES false

#
# What MIME types NOT to scan. For performance reasons, you could
# exclude all media types.
#
# Based on Content-Type: header as given by the HTTP server.
# Note that it is easy to forge and should not be trusted.
#
# Basic wildcard match supported.
#
# Default: NONE
 SKIPMIME image/* video/* audio/*

#
# If set, then ONLY these MIME types will be scanned.
#
# Based on Content-Type: header as given by the HTTP server.
# Note that it is easy to forge and should not be trusted.
#
# Basic wildcard match supported.
#
# Default: NONE
# SCANMIME application/*
#
# Default:
 MAXSCANSIZE 500000000

#
# Amount of data going to browser that is held back, until it
# is scanned. When we know file is clean, this held back data
# can be sent to browser. You can safely set bigger value, only
# thing you will notice is some "delay" in beginning of download.
# Virus found in files bigger than this might not produce HAVP
# error page, but result in a "broken" download.
#
# VALUE IN BYTES NOT KB OR MB!!!!
#
# Default:
# KEEPBACKBUFFER 200000

#
# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
# initially receive data from server, before sending anything to client.
# Even trickling is not done before this time elapses. This way files that
# are received fast are more secure and user can get virus report page for
# files bigger than KEEPBACKBUFFER.
#
# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
#
# Default:
# KEEPBACKTIME 5

#
# After Trickling Time (seconds), some bytes are sent to browser
# to keep the connection alive. Trickling is not needed if timeouts
# are not expected for files smaller than KEEPBACKBUFFER, but it is
# recommended to set anyway.
#
# 0 = No Trickling
#
# Default:
# TRICKLING 30

#
# Send this many bytes to browser every TRICKLING seconds, see above
#
# Default:
# TRICKLINGBYTES 1

#
# Downloads larger than MAXDOWNLOADSIZE will be blocked.
# Only if not Whitelisted!
#
# VALUE IN BYTES NOT KB OR MB!!!!
#  0 = Unlimited Downloads
#
# Default:
# MAXDOWNLOADSIZE 0
#
# Default: NONE
# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS

#
# Bytes to scan from beginning of streams.
# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
# It is not recommended as there are some exploits for players.
#
# Default:
# STREAMSCANSIZE 20000

#
# Disable mandatory locking (dynamic scanning) for certain file types.
# This is intended for fixing cases where a scanner forces use of mmap()
# call. Mandatory locking might not allow this, so you could get errors
# regarding memory allocation or I/O. You can test the "None" option
# anyway, as it might even work depending on your OS (some Linux seems
# to allow mand+mmap).
#
# Allowed values:
#   None
#   ClamAV:BinHex  (mmap forced in versions older than 0.96)
#   ClamAV:PDF     (mmap forced in versions older than 0.96)
#   ClamAV:ZIP     (mmap forced in 0.93.x, should work in 0.94)
#   AVG:ALL        (AVG 8.5 does not work, uses mmap MAP_SHARED)
#
# Default:
# DISABLELOCKINGFOR AVG:ALL

#
# Whitelist specific viruses by case-insensitive substring match.
# For example, "Oversized." and "Encrypted." are good candidates,
# if you can't disable those checks any other way.
#
# Default: NONE
# IGNOREVIRUS Oversized. Encrypted. Phishing.


#####
##### ClamAV Library Scanner (libclamav)
#####

#ENABLECLAMLIB true

# HAVP uses libclamav hardcoded pattern directory, which usually is
# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
#CLAMDBDIR /var/lib/clamav

# Should we block broken executables?
#
# Default:
# CLAMBLOCKBROKEN false

# Should we block encrypted archives?
#
# Default:
# CLAMBLOCKENCRYPTED false

# Should we block files that go over maximum archive limits?
#
# Default:
# CLAMBLOCKMAX false

# Scanning limits?
# You can find some additional info from documentation or clamd.conf
#
# Stop when this many total bytes scanned (MB)
# CLAMMAXSCANSIZE 20
#
# Stop when this many files have been scanned
# CLAMMAXFILES 50
#
# Don't scan files over this size (MB)
#CLAMMAXFILESIZE 25
#
# Maximum archive recursion
#CLAMMAXRECURSION 3


#####
##### ClamAV Socket Scanner (clamd)
#####
##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
#####

ENABLECLAMD true

# Path to clamd socket
#
# Default:
CLAMDSOCKET /var/run/clamav/clamd.ctl

# ..OR if you use clamd TCP socket, uncomment to enable use
#
# Clamd daemon needs to run on the same server as HAVP
#
# Default: NONE
#CLAMDSERVER 127.0.0.1
#CLAMDPORT 3310


(Нажмите, чтобы показать/скрыть)

Код: [Выделить]

#Automatically Generated by clamav-daemon postinst
#To reconfigure clamd run #dpkg-reconfigure clamav-daemon
#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for details
LocalSocket /var/run/clamav/clamd.ctl
FixStaleSocket true
LocalSocketGroup clamav
LocalSocketMode 666
# TemporaryDirectory is not set to its default /tmp here to make overriding
# the default with environment variables TMPDIR/TMP/TEMP possible
User clamav
AllowSupplementaryGroups false
ScanMail true
ScanArchive true
ArchiveBlockEncrypted false
MaxDirectoryRecursion 15
FollowDirectorySymlinks false
FollowFileSymlinks false
ReadTimeout 180
MaxThreads 12
MaxConnectionQueueLength 15
LogSyslog false
LogRotate true
LogFacility LOG_LOCAL6
LogClean false
LogVerbose false
DatabaseDirectory /var/lib/clamav
OfficialDatabaseOnly false
SelfCheck 3600
Foreground false
Debug false
ScanPE true
MaxEmbeddedPE 10M
ScanOLE2 true
ScanPDF true
ScanHTML true
MaxHTMLNormalize 10M
MaxHTMLNoTags 2M
MaxScriptNormalize 5M
MaxZipTypeRcg 1M
ScanSWF true
DetectBrokenExecutables false
ExitOnOOM false
LeaveTemporaryFiles false
AlgorithmicDetection true
ScanELF true
IdleTimeout 30
CrossFilesystems true
PhishingSignatures true
PhishingScanURLs true
PhishingAlwaysBlockSSLMismatch false
PhishingAlwaysBlockCloak false
PartitionIntersection false
DetectPUA false
ScanPartialMessages false
HeuristicScanPrecedence false
StructuredDataDetection false
CommandReadTimeout 5
SendBufTimeout 200
MaxQueue 100
ExtendedDetectionInfo true
OLE2BlockMacros false
ScanOnAccess false
AllowAllMatchScan true
ForceToDisk false
DisableCertCheck false
DisableCache false
MaxScanSize 15M
MaxFileSize 8M
MaxRecursion 8
MaxFiles 1500
MaxPartitions 50
MaxIconsPE 100
PCREMatchLimit 10000
PCRERecMatchLimit 5000
PCREMaxFileSize 25M
ScanXMLDOCS true
ScanHWP3 true
MaxRecHWP3 16
StatsEnabled false
StatsPEDisabled true
StatsHostID auto
StatsTimeout 10
StreamMaxLength 25M
LogFile /var/log/clamav/clamav.log
LogTime true
LogFileUnlock false
LogFileMaxSize 0
Bytecode true
BytecodeSecurity TrustSigned
BytecodeTimeout 60000


Прошу помочь понять, что я делаю не так, спасибо!

[MooSE]

1. Если используете havp то от clamav нужен только freshclam
2. Какая цепочка? "юзер -> squid -> havp -> интернет" или "юзер -> havp -> squid -> интернет"?
2.1 если "squid -> havp" то покажите ту часть конфига squid, которая форвардит трафик на havp
2.2 если "havp -> squid" то покажите ту часть конфига havp, которая форвардит трафик на squid

[Gigazo1d]

1. Если используете havp то от clamav нужен только freshclam
2. Какая цепочка? "юзер -> squid -> havp -> интернет" или "юзер -> havp -> squid -> интернет"?
2.1 если "squid -> havp" то покажите ту часть конфига squid, которая форвардит трафик на havp
2.2 если "havp -> squid" то покажите ту часть конфига havp, которая форвардит трафик на squid

1.freshclam разве не за обновления отвечает?
2. Используем цепочку"юзер -> squid -> havp -> интернет"

Код: [Выделить]

cache_peer 127.0.0.1 parent 2005 0 no-query no-digest no-netdb-exchange default
cache_peer_access 127.0.0.1 allow all
acl Scan_HTTP proto HTTP
never_direct allow Scan_HTTP

Прокси не кеширующий.

[MooSE]

Всё правильно и хорошо. Должно работать.

По поводу havp: он использует библиотеку (libclamav) и сам clamav ему не нужен. А вот обновления качать - тут нужен freshclam.

[Gigazo1d]

Всё правильно и хорошо. Должно работать.

По поводу havp: он использует библиотеку (libclamav) и сам clamav ему не нужен. А вот обновления качать - тут нужен freshclam.

Спасибо за ответ! Собственно KES, который стоит на рабочих местах у пользователей, тоже не особо то вирусы с интернета блокирует, находит непосредственно при сканировании системы. ClamAV ставить для собственного успокоения)
А не подскажите, при помощи havp как блокировать всплывающие фоновые окна с рекламой и баннеры? Вроде как все из коробки должно работать, а у меня пропускает, и тестовые страницы с баннерами говорят, что пропускает 10 из 10. То ли я многого жду от этого софта, то ли делаю что-то не так..

[MooSE]

Когда я всем этим занимался был bfilter. Офигенный проксик с эвристическим фильтром рекламы. Я его ставил в цепочку между squid и havp и был очень доволен результатом.

Но его уже давно выкинули из репозиториев. Недавно пытался собрать под последние версии Ubuntu - сходу не получилось и патчить не стал.

Из того что есть в репозитории - adzapper. Относительно легко прикручивается к squid, неплохо блокирует рекламу по чёрным спискам. Сейчас смотрю описание - в новых версиях завезли много вкусного. Вот тут описание моего опыта десятилетней давности. Но основной вектор с тех пор не изменился и adzapper за годы стал только лучше:)

[Gigazo1d]

Из того что есть в репозитории - adzapper

Rejik не рассматриваете?
Получается havp не умеет работать с баннерами и pop-up?

[MooSE]

Получается havp не умеет работать с баннерами и pop-up?

havp - антивирусный прокси, а не баннерорезка.

[Gigazo1d]

havp - антивирусный прокси, а не баннерорезка.

По сути функционал ему придает антивирус, который работает с ним в паре, без антивируса он тупо фильтрует через себя траффик (за исключением черных списков сайтов)?

[MooSE]

По сути функционал ему придает антивирус, который работает с ним в паре, без антивируса он тупо фильтрует через себя траффик (за исключением черных списков сайтов)?

Вы документацию havp читали?

Он построен на бази libclamav. И ещё имеет возможность подключения внешних антивирусов.

[Gigazo1d]

Вы документацию havp читали?

Он построен на бази libclamav. И ещё имеет возможность подключения внешних антивирусов.

Официальную нет, чисто на русскоязычных сайтах (форумах) кусками, спасибо за ответы!