On 14/12/2015 10:39 a.m., Markus wrote: > Yuri Voinov wrote: > >> Think more. ALL ICAP solutions checks content. Diladele is not only solution which checks content. > [...] > >> You really think executable files can have only known extension? > > > My way of thinking was like that: > instead of testing with AV each .exe or .zip file better block it out > (except for whitelist domains). Because testing with AV needs CPU/RAM. > But as we already established - executables can be downloaded as JPG > /TXT or whatever. If so - AV makes only sense if we test every kind of > extensions/streams. Right? Correct. > > let's consider such possible case: > > here we have putty.exe (without virus ;-) , but saved as txt file: > > http://6web.pl/~mserafin/putty.txt > > now we can just download it and change extension for exe. My question is - > can ICAP-Clamav detect that it's windows executable and block it? > (even without testing against viruses)? You are making the mistake of thinking of "http://6web.pl/~mserafin/putty.txt"; as a file. There is no concept of "file" in HTTP and thus also no "file extension". It might be one for this case, but while it is in HTTP it ceases acting like one. The reality is that "http://6web.pl/~mserafin/putty.txt"; is just a resource locator; * It has no guaranteed relationship to the actual delivered content type, and * there may be a file involved - or not, and * any file which is involved may exist at that location on the server - or somewhere else (even another server), and * the response to that URL may be a singular object, multi-part response with multiple objects, a 206 partial object or network generated 3xx-5xx objects. > > and here more complicated case: > > http://6web.pl/~mserafin/putty_zip.txt (it's a regular ZIP file with > putty.exe inside) > > > Can ICAP-Clamav deal with it? Good question. For the two simplistic cases you describe the answer is probably yes - if we assume the responses are whole files. Clamav insists on saving objects to disk to scan them fully, or at least the initial bytes of the object. It is a little restricted in that way. Other AV might do better with the more complicated HTTP response cases, or they might not. I'm not familiar with how each works. I just know that clamav is designed as a file-based scanner. Other AV have designed-in ICAP services, so may work better (but costly). Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
