Hi, This might be a bug/"feature" of the c-icap + squid 3.0 combination, but I'm not sure that it might not be some kind of miss-configuration on my behalf, so I therefore figured I'd try this list and see if somebody else have run into this. To sum it up: When using the c-icap clamav service with squid and you are downloading a file larger then the in c-icap.conf set srv_clamav.StartSendPercentDataAfter threshold and the virus signature is found after c-icap has started to "trickle" out data, the entire file including the virus signature is let through. Testing this I used c-icap version 20080706rc3-1 from the Debian amd64 Squeeze archive, and squid 3.0.STABLE19-1 from the same archive. The file I'm testing with is basically a 3MB file with the eicar.com virus signature appended to it. clamscan finds it infected. When setting the srv_clamav.StartSendPercentDataAfter option to 3M or more I get a 403 from squid and the c-icap logs says: <date>, general, VIRUS DETECTED: Eicar-Test-Signature. When setting the srv_clamav.StartSendPercentDataAfter option to 2M the file starts downloading and I receive the entire file, including the last bytes containing the eicar.com signature. The c-icap logs says: <date>, general, VIRUS DETECTED: Eicar-Test-Signature. <date>, general, Simply no other data sent Thus, it seems that c-icap finds the virus, but still sends the entire file on to squid, instead of aborting somehow. I've run several tests with debug level 3 in c-icap and the squid cache erased between tests. All with the same result and no further info available in the logs. Please feel free to ask if you want more info, my config files, etc. Thanks in advance, Fredrik Ax <frax@xxxxxxxx> ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
