On Fri, Apr 17, 2009 at 07:13:35AM +0200, Frank Fiene wrote: > > Am 16.04.2009 um 17:52 schrieb Henrik K: > >> On Thu, Apr 16, 2009 at 03:57:35PM +0200, Frank Fiene wrote: >>> Hi i have a problem with integrating clamav with squivir2 into squid. >> >> Not that it helps with this specific question, but get yourself a real >> tool. >> Redirector based virus scanners are flawed by design. You want to look >> at >> proxy based scanners like HAVP (http://www.server-side.de/) or ICAP >> based >> like c-icap (http://c-icap.sourceforge.net/). They offer performance >> and >> security. >> > > > Is anyone using HAVP? I read only one sentence on the home page: > > Disadvantage: > If the scanning process is too slow and the file is larger than the > defined "hold back data" you can still receive a virus! If the file > contains a virus and the file is bigger than the "hold back data" the > download will be cancelled with no warning. If you try to download the > file again you will get the error message (this feature is not > implemented yet). > > My opinion: this is a no-go! So read a bit more and think about it. Obviously such received file without the "holded back data" will in 99.9% cases not work. Exe will not run, Zip will not unpack etc. The "virus" will be harmless. If you think about "cancelling without warning", which do you prefer? Scanner waiting to download large file, only scan it after it's fully received, while user is fiddling his thumbs and looking at 0% or some custom "download" page that breaks many applications? In the unlikely scenario that a large file even contains a virus, it makes no difference whether the user gets a "warning" or not (it can be found in HAVP logs if asked). HAVP allows user start receiving file almost immediately without waiting. And yes HAVP does have many happy users, it's even used in many firewall distributions. ;)
