SquidClamav is an antivirus for Squid proxy based on the Awards winnings ClamAv anti-virus toolkit. Using it will help you securing your home or enterprise network web traffic. SquidClamav is the most efficient Squid ICAP service antivirus tool for HTTP traffic available for free, it is written in C and can handle thousand of connections. SquidClamav is built for speed and security in mind, it is first used and tested to secure a network with 2,500 and more users. It is also known to working fast with 15000+ users.
SquidClamav works as an ICAP service through the c-icap server. With SquidClamav you have full control of what kind of HTTP stream must be scanned by Clamav antivirus, this control operate at 3 different levels:
SquidClamav scan all HTTP traffic by default (mode "ScanAllExcept") but it can be turned into a "ScanNothingExcept" mode to scan only some files.
This version fixes some bugs reported by users since previous release and especially multipart/form-data upload that was not scanned.
Full list of changes:
- Add documentation FAQ about FTP uploads (STOR/put) hang with Squid native
FTP proxy (ftp_port)
- Add CI workflow file for regression tests.
- Add test for PUT uploads that must be passed to squidclamav in REQMOD
exactly like POST.
- Multipart re-encoding. When the HTTP body is a multipart/form-data upload
we hand it to clamd wrapped as an e-mail so that libclamav decodes the
multipart and scans every embedded file. However libclamav reads e-mail
bodies line by line and STRIPS NUL bytes while doing so. A raw binary
part (an .exe, etc.) therefore reaches the scanner with all its NUL bytes
removed, no longer matches any signature and the virus is missed.
The fix rebuilds the multipart payload into a canonical MIME message
whose part bodies are base64-encoded (Content-Transfer-Encoding: base64).
base64 output is pure ASCII with no NUL bytes and is line-oriented, so it
survives libclamav's line reader untouched; libclamav then base64-decodes
each part back to the exact original bytes before scanning.
Caveats: The rebuild reads the whole body into memory (bounded to existing
maxsize/StreamMaxLength limits) and base64 adds ~37% size, so a multipart
upload near StreamMaxLength could now hit that ceiling slightly sooner.
Thanks to asterite3, ktran668959 and Yuri Voinov for the report.
- Use MEDIUM_BUFF instead of LOW_BUFF for all URIs storage.
- Fix configure prefix usage was missing in configure. Thanks to Lajos Gaspar
for the patch.
- Fix several memory allocation/free issues.
This version fixes some bugs reported by user
Full list of changes:
- Patch for GCC15 issues - BZ2341381. Thanks to Frank Crawford for the patch.
- Update README for icap_service command change in Squid 3.4.x configuration.
Thanks to kimsaetbyeol for the patch.
This version fixes some bugs reported by users since previous release.
Full list of changes:
- Fix size for clmd_curr_ip that could be a hostname up to 253 characters.
Thanks to Pavel Krustev for the report.
- Add the gplv3 licence content to COPYING file. Thanks to Simone Caronni
for the report.
- Use getnameinfo instead of deprecated gethostbyaddr. Thanks to Frank
Crawford for the report.
- Fix regexp compilation failure when it contains a #.
- Add reject_url configuration directive that allows to reject certain URL
based on a regular expression. For example: reject_url ^.*\.(com|bat|exe)$
- Fix some compilation warnings on call to strncpy.
- Add a JP translation for clwarn.cgi. Thanks to Frank Crawford for the patch.
This version fixes some bugs reported by users since previous release and especially a crash with call to deprecated gethostbyname() function.
Full list of changes:
- Update copyright year
- Fix compilation warning about strlen
- Add .gitignore file
- Merge some redundant code related to whitelist/abort and blacklist/scan.
Thanks to rdpmc Oleg for the report.
- Fix call to CGI::param without scalar context. Thanks to Frank Crawford
for the report.
- Replace deprecated gethostbyname() by getaddrinfo(). Thanks to Jean-noel
Leclercq for the patch.
- Create http response entity if not present in icap request. Thanks to
Saurabh Ram Tripathi for the patch.
- Re-work/Updated debian/*. Thanks to Louis van Belle for the patch.
This version fixes some bugs reported by users since previous release and add a new configure option to set the search path to libarchive header file.
* Add --with-libarchive configure option to specify where to find
archive.h. It is searched in /usr/include and /usr/local/include
by default, if the header file is not in these directory you must
use this option. Example: ./configure --with-libarchive=/opt/csw.
Full list of changes:
- Fix some compilation warnings.
- Fix typos/translation error. Thanks to Yuri Voinov for the patch.
- Allow base dir to --with-libarchive option, /opt/csw/ instead of
/opt/csw/include. Thanks to Yuri Voinov for the report.
- Fix formatting of configure usage output. Thanks to Yuri Voinov
for the report.
- Defined max() macro even if libarchive is not used. Thanks to Yuri
Voinov for the report.
This major version adds some useful features, new configuration directives and fix some bugs reported by users since previous release.
New features are:
* New scan mode. By default squidclamav scan everything excepted the exclusions defined in 'abort', 'abortcontent', 'whitelist', 'trustuser'
and 'trustclient' configuration directives. There is now a mode where squidclamav will scan nothing excepted the inclusions defined with
directives 'scan', 'scancontent', 'blacklist', 'untrustuser' and 'untrustclient'. The scan mode is controlled by a new configuration
directive 'scan_mode'. Possible values are 'ScanAllExcept' (the default) and 'ScanNothingExcept'.
* Add support to libarchive to be able to ban archive with some suspect files inside that are not detected by ClamAv. This feature is disabled
by default and can be enable using 'enable_libarchive'. The ban archive can be stored to be recovered by the user through the redirect CGI script
if directive 'recoverpath' is set.
* An archive banned by libarchive can be recovered through the redirect CGI. See cgi-bin/clwarn.cgi and the redirect configuration directive.
recoverpath must be set to use this feature.
Backward compatibility with version 6 of squidclamav and existing configuration files is fully preserved except for the obsolete 'squidguard' directive that has been removed. Chained program using this directive is no longer supported, use the 'url_rewrite_program' squid.conf directive instead to call squidGuard or any other Url checker.
This release fixes a major bug with debugs macro that can have bad side effects like printing an error after configuration reload an possibly some other wrong behaviors.
- Change log level of configuration reloading message.
- Show line in configuration file that can not be parsed
by add_pattern().
- Enclose debugs macro to avoid misusage. Thanks to Denis Volpato
Martins for the patch.
- Fix Apache complain "AH01215: CGI::param called in list context
from package main line 14, this can lead to vulnerabilities."
Thanks to thctlo for the report.
SquidClamav is Free Software and is made fully available free of charge, you can use it as you want without having to pay anything. If you like the software please just pay attention to support SquidClamav with your donation.
Copyright (c) 2005-2019 Gilles Darold - All rights reserved.
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see < http://www.gnu.org/licenses/ >
Please report any bugs, patches, discussion, feature requests, etc. to <squidclamav AT darold DOT net> or use tools on the git repository at https://github.com/darold/squidclamav. This help a lot to develop a better/useful tool.
Any contribution to build a better tool is welcome, you just have to send me your ideas, features request, patches or use tools on the git repository at https://github.com/darold/squidclamav and there will be applied. You can also support the developper by donate some contribution by clicking on the "Donate" button.
Thanks to Squid-cache.org and Clamav.net for their great softwares and to all the great contributors, they are all cited in the ChangeLog file.
Gilles Darold <gilles AT darold DOT net>
Total Physical Source Lines of Code (SLOC) = 6,597 Total Estimated Cost to Develop = $ 195,864 (Generated using David A. Wheeler's 'SLOCCount'.)
Official release are published to the GitHub Release page of SquidClamav.
SquidClamav may have a binary package corresponding to your distribution.
The latest development code can always be found into the pgBadger's GitHub repository