On 30/06/2012 7:20 p.m., Felix Leimbach wrote:
Hello list I'm running squid 3.1.19 with squidclamav 6.6 and while debugging a different issue, I looked at tcpdumps of the ICAP traffic for squidclamav. I noticed that not only the webpages are sent to squidclamav for scanning, the *requests* are sent and scanned as well. This looks like unnecessary processing overhead to me and I've disabled this by removing these lines (from squidclamav's install [1] page): icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_req allow all what's left is the response scanning: icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access service_resp allow all Viruses in webpages are still being caught just fine. Should the install page be updated or is there a disadvantage to this approach? [1] http://squidclamav.darold.net/installv6.html
1) squidclamav is not part of the Squid project. So it is highly unlikely that people here are in a position to edit that programs documentation.
2) the HTTP world is not limited to downloads. Uploaded files, CONNECT tunnels, media streams and other types of client sent things also need AV scanning to protect servers against infected clients.
It is of course up to you which you enable/disable. But being AV documentation I would expect they prefer to document the safest known configurations as standard and let particular admin make the choice to open holes.
Amos
