-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 14.12.15 11:57, Amos Jeffries пишет: > On 14/12/2015 10:39 a.m., Markus wrote: >> Yuri Voinov wrote: >> >>> Think more. ALL ICAP solutions checks content. Diladele is not only solution which checks content. >> [...] >> >>> You really think executable files can have only known extension? >> >> >> My way of thinking was like that: >> instead of testing with AV each .exe or .zip file better block it out >> (except for whitelist domains). Because testing with AV needs CPU/RAM. >> But as we already established - executables can be downloaded as JPG >> /TXT or whatever. If so - AV makes only sense if we test every kind of >> extensions/streams. Right? > > Correct. > >> >> let's consider such possible case: >> >> here we have putty.exe (without virus ;-) , but saved as txt file: >> >> http://6web.pl/~mserafin/putty.txt >> >> now we can just download it and change extension for exe. My question is - >> can ICAP-Clamav detect that it's windows executable and block it? >> (even without testing against viruses)? > > > You are making the mistake of thinking of > "http://6web.pl/~mserafin/putty.txt"; as a file. There is no concept of > "file" in HTTP and thus also no "file extension". > It might be one for this case, but while it is in HTTP it ceases acting > like one. > > The reality is that "http://6web.pl/~mserafin/putty.txt"; is just a > resource locator; > * It has no guaranteed relationship to the actual delivered content > type, and > * there may be a file involved - or not, and > * any file which is involved may exist at that location on the server - > or somewhere else (even another server), and > * the response to that URL may be a singular object, multi-part > response with multiple objects, a 206 partial object or network > generated 3xx-5xx objects. > > >> >> and here more complicated case: >> >> http://6web.pl/~mserafin/putty_zip.txt (it's a regular ZIP file with >> putty.exe inside) >> >> >> Can ICAP-Clamav deal with it? > > Good question. For the two simplistic cases you describe the answer is > probably yes - if we assume the responses are whole files. > > Clamav insists on saving objects to disk to scan them fully, or at least > the initial bytes of the object. It is a little restricted in that way. > > Other AV might do better with the more complicated HTTP response cases, > or they might not. I'm not familiar with how each works. I just know > that clamav is designed as a file-based scanner. Other AV have No. Clamav use INSTREAM API for scanning. I-CAP based squidclamav utilizes it for years. > > designed-in ICAP services, so may work better (but costly). > > Amos > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWbomMAAoJENNXIZxhPexGdEAH/ixLaaqMjogpgd0cnVqQELTs GCQAbHKb0IEujv7ZNGRr00DeUiPMA7AlZ4FzC7G/MZmV8hI4RU7m6f3negJUpeIf w20gcq6MCc1lorHB5emvaYw2RLbDAiiLdVzcNBDWbntqjRyd3FiOPcf+w27ch47R 8gaDIyViqs/ndJOp85AtjTMifWR7KCE61utKS4+VBO44KHdPbiZXa6PnzsLUdeYq +iXrxWzjTduf8iq1QkL8z6Ms1Gk0ApwtSemJD8sJCR7drOfj5azepOFhQNIvwS1Z YUMH/AyBpsPTpy+TG3vEJfloppztm6l1gT4nppFN4HaJHFmMXoj0Wn0MB5AYNeQ= =AnSo -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
