|
|
ADSP 21xx 
Have you found this site useful? Did we save you time? Did we cure your head-ache? Is your hair growing back now? Please make a donation to help with maintenance. |
Willowbark ClamAV SquidGuard HowtoMandrake 10.0
ScopeThis guide describes how to interface the Willowbark virus filter driver with ClamAV and SquidGuard. You need to read my other howtos on this convoluted topic as well. Install and configure things in this order: Apache, Squid, SquidGuard, ClamAV and Willowbark. To install SquidGuard, you need to tweak Squid. To install Willowbark, you need to tweak SquidGuard. In essence, your browser requests a file via the proxy server Squid over HTTP or HTTPS. Squid spawns SquidGuard, which checks whether the URL is allowed, or should be scanned. If the file needs to be scanned, it redirects the file to Willowbark. Willowbark runs Wget to download the file into an Apache directory and then runs ClamAV on the directory. If ClamAV finds a virus, it deletes the file. If the file is not deleted, Willowbark passes it to your browser, hopefully, by this time, you are still waiting patiently, staring at the hourglass... Willowbark was inspired by the script Viralator by Duncan Hall. Unfortunately, Viralator uses pop-up windows, which are blocked by modern browsers. The resulting head-ache caused me to rewrite the whole thing from scratch and the result is much, much simpler. I hope that any UNIX geek can read and understand this script. The name comes from the common cure for head-aches, acetyl salicilic acid, an extract of white willow bark - enjoy! Get itThis project will eventually move to savannah.non-gnu, at which point I can get input from contributors, but until the good folks over at the FSF get things together, please be patient. Download Willowbark from here http://www.AerospaceSoftware.com/willowbark.1.tar.gz and put it in directory /root/willowbark: # cd wil[tab] # tar -zxvf wil[tab] You can get an alternative version here http://www.Aerospa ceSoftware.com/willowbark_update.zip. This version by Diederik de Groot, uses a different download mechanism - faster he claims and provides a progress pop-up, if pop-ups are enabled in the browser. This version consists of two scripts. Installation is similar to the original. Read this script carefully and confirm that it calls ClamAV correctly for your setup. InstallPut the Perl script willowbark.cgi in Apache cgi-bin and configure Apache for use with willowbark: # cp willowbark.cgi /var/www/cgi-bin/. # chown apache:apache /var/www/cgi-bin/willowbark.cgi # mkdir /var/www/html/downloads # chown apache:apache /var/www/html/downloads # chmod 755 /var/www/html/downloads Apache needs to be aware of all the MIME types of these files. The MIME types are defined in file /etc/httpd/conf/apache-mime.types. Otherwise, you will get a screen full of binary, instead of having it directed to ClamAV. Verify the following in file apache-mime.types: application/x-executable exe com scr application/octet-stream bin dms lha lzh exe com scr class text/plain asc txt bat pif application/zip zip Configure SquidGuard:
Modify file /etc/squidGuard/squidGuard.conf as follows:
# Virus scan with WillowBark using ClamAV
# Define the filename patterns that must be scanned for viruses
dest virus
{
expressionlist willowbark/expressions
redirect http://localhost/cgi-bin/willowbark.cgi?url=%u
}
# Exclude the Apache server that WillowBark is on, else we'll get a loop.
# Also exclude the attachment directories of webmail services that do their
# own virus scanning, eg. AOL, Netscape, Hotmail, Yahoo...
dest noscan
{
domainlist willowbark/urls
}
# Access Control
acl
{
# Note: default MUST have the brace on the same line
# Pass everything as usual, except trash and potential viruses
default {
pass !adsan !adsut !ads !pornan !pornut !porn noscan !virus all
redirect 302:http://www.aerospacesoftware.com/blockedcool2.gif
}
}
Define the Microsoft file extensions that the virus scanner should trigger on: File /etc/squidGuard/db/willowbark/expressions (\.exe$|\.com$|\.bat$|\.cmd$|\.zip$|\.pif$|\.scr$|\.sct$|\.doc$|\.dot$|\.xls$| \.xlt$|\.dll$|\.ppt$|\.pot$|\.rtf$|\.vbe$|\.vbs$) Every year, there are more of these insecure file types. It would be great to trigger on a pattern like .??? to take care of anything MS can still think of, but that will break other things. Try it, you'll see. Define the IP address (or domain name) of the Apache server that the virus scanner is running on, as well as URLs to exclude eg. Netscape and Hotmail. Yes, that funny saferd IP is one of Hotmail's - gawd knows how many there are, or what they are called. Maybe there is a pattern there, but I can't say with only one known example: File /etc/squidGuard/db/willowbark/urls 66.222.241.232 ncmail.netscape.com 64.4.30.250/cgi-bin/saferd Restart Squid-cache: # service squid stop Long wait, 30s to 1 minute. # service squid start Very long wait - half an hour or so if you have about a million URLs in the SquidGuard block lists. Do not do 'service squid restart'. Doing so, will result in multiple copies of squidGuard running, the server will slow to a crawl and the paint on the wall will crack and peel off before the system is working again. Ensure that the script file has permissions 755, else Apache can't run it. DebugTest Apache scripting with a special URL in your browser, eg.: http://serverip/cgi-bin/test.cgi/?url=filename.ext Try to download a file from somewhere on the web and see what Willowbark is doing with: tail -f /var/log/httd/error_log Fast StartupHere is a comment from Phil Crooker at orix.com.au: If you run:
squidGuard -c /etc/squid/squidGuard.conf -C filename
it creates a .db of the squidGuard list which is a btree representation of the list. So when you start squid or run reconfigure, squidGuard doesn't have to do it at runtime, it starts as soon as the files are read, on our machines within 1 second. 'Hope this helps! Herman |
|
Copyright © 2005-2008, Aerospace Software Ltd., GPL. |