With a typical server-based filtering and virus scan solution running on a proprietary operating system, you would have to pay hundreds or possibly thousands of dollars for the server's operating system, on top of per-seat user licensing fees for the server as well as the filtering software. With an open source solution you can be up and running with no software and upgrade costs whatsoever.

In the first part of the article we installed SquidGuard, which works through the caching and proxying program Squid. We will now combine the solution with the virus scan engine ClamAV and will get a complete content filtering and virus scanning proxy.


Step 1: Install ClamAV

We will use the rpm packages provided by Suse and will install CLAMAV using Yast. Open a console and start the yast command:

Switch over to the software section and search for clamav. The version current available is 0.90.2. The tool will automatically handle the file dependencies and will install all related packages if necessary.

It is now time to download the latest virus definitions. Execute the following commands using your console:

Please check the log file (/var/log/clamav/clamav-updater.log ) for possible errors.

The following command will start clamav in daemon mode automatically after rebooting the server.

 
I recommend scanning you harddisk using the latest virus definitions like this:

After checking all files you will get a virus scan report similar to this:

Step 2:  Installing  Viralator

Viralator is a Perl script that virus scans HTTP/FTP downloads request on a UNIX server after passing through the Squid proxy server. A lot of Linux distributions including RedHat, Mandriva, Suse and Debian are supported. The script is able to work together with redirectors like Squirm, SquidGuard and Jesred. Supported virus scanners are: 

• AntiVir
• AVP
• RAV
• Inoculate
• Sohos Sweep
• McAffee
• Trend
• ClamAV
• Bit Defender 

The original concept for Viralator came from the Viromat project. Without Viromat the Viralator project would not have had a starting point. The script is released under the GPL.

How does Viralator work?
First, the script is picking up the URL of the file the user wants to download, but it will download the file into its own directory on the server using Wget. The user can monitor the status of the download in a separate pop up window. After downloading, the files will be checked for viruses using one of the supported scanners. In case of a virus infection, the file will be deleted immediately and the user will get a “virus found” message. If the file is correct and not infected the script will start an automated download to the user’s hard disk.
 
What do we need to get it running?
Well, we will use the same Squid proxy server already described in the first part of the article. The redirector will be SquidGard and we will use the antivirus scanner ClamAV. We also need Apache to run the cgi script.

Let’s start - download the Viralator script from the following website and store it into your Download directory:

http://viralator.sourceforge.net/

If you are still using your Apache server like described in part 1 of the article, please shut it down like this:

Make sure to have the following subdirectories available on your server. Set the correct ownership and file permissions.

/srv/www/cgi-bin  755  wwwrun:www
/srv/www/htdocs/downloads  755 wwwrun:www
/etc/viralator

The following commands will help to unpack the package and to copy everything in the destination directories:

Viralator now comes with its own config file “viralator.conf”. We copied the file to /etc/viralator. Please make sure to set the parameters correctly.

Here are my settings:

Step 3 :Prepare Apache to run the Viralator script

Apache 2 works just “out of the box”. There is no need to configure it. Please make sure to set the “AddHandler” correctly. You will find the settings in /etc/apache2/default-server.conf

Step 4: Configuring SquidGuard

Like already mentioned in the previous steps, we will use the SquidGuard script that we created in the first part of the article.  We just have to change view lines to combine the content check with the virus check.

First of all, you should create a subdirectory called vsan
 

Create I file called “files” with the following content:

(\.exe$|\.com$|\.bat$|\.zip$)

Like you can see, these are the file extensions the viralator script will use to initiate a virus scan. You can later add other extensions. Set the permissions and ownership similar to the other directories in the db folder.

In the “Destination” section we have to add the entry “dest files”. The SquidGuard config file will looks like this:

As you already realized, we are redirecting all “spy” and “porn” traffic to http://192.168.1.1 and all files with the extension .com, .exe and .zip to http://192.168.1.1/cgi-bin/viralator.cgi

There is no need the change the Squid configuration file. Please use the same file mentioned in the first part of the article.

Step 5: Running and trouble-shooting the Proxy

OK, it’s time to check if our configuration works. Use your Linux or Windows client and configure the proxy settings according to the workshop setup (see here).

Proxy server: 192.168.1.1
Proxy port 3128

Browsing, except of  “porn” and “spy“, should work properly. Blocked pages should appear like this:

 
Downloading a file - the pop up window informs the user about the status.

Virus found! The file is deleted automatically.