Search squid archive

Re: c-icap + squid 3.0, StartSendPercentDataAfter lets viruses through

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Fredrik Ax wrote:
Hi,

This might be a bug/"feature" of the c-icap + squid 3.0 combination,
but I'm not sure that it might not be some kind of miss-configuration
on my behalf, so I therefore figured I'd try this list and see if
somebody else have run into this.

To sum it up: When using the c-icap clamav service with squid and you
are downloading a file larger then the in c-icap.conf set
srv_clamav.StartSendPercentDataAfter threshold and the virus signature
is found after c-icap has started to "trickle" out data, the entire
file including the virus signature is let through.

Testing this I used c-icap version 20080706rc3-1 from the Debian amd64 Squeeze archive, and
squid 3.0.STABLE19-1 from the same archive.

The file I'm testing with is basically a 3MB file with the eicar.com virus
signature appended to it. clamscan finds it infected.

When setting the srv_clamav.StartSendPercentDataAfter option to 3M or more
I get a 403 from squid and the c-icap logs says:
<date>, general, VIRUS DETECTED: Eicar-Test-Signature.

When setting the srv_clamav.StartSendPercentDataAfter option to 2M the
file starts downloading and I receive the entire file, including the
last bytes containing the eicar.com signature.
The c-icap logs says:
<date>, general, VIRUS DETECTED: Eicar-Test-Signature.
<date>, general, Simply no other data sent

Thus, it seems that c-icap finds the virus, but still sends the entire
file on to squid, instead of aborting somehow.

I've run several tests with debug level 3 in c-icap and the squid
cache erased between tests.  All with the same result and no further
info available in the logs.

Please feel free to ask if you want more info, my config files, etc.

Thanks in advance,
Fredrik Ax <frax@xxxxxxxx>


Well yes. You have configured c-icap to send a file through. It's going to get through. Any content alteration is up to the ICAP server. Squid passes on what it receives back.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
  Current Beta Squid 3.1.0.16

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux