There are 3 child processes spawned by the parent c-icap process. But the memory usage only increase for the parent process and evetually hit the limit set by container along with the scan workload. c-icap version: 0.5.13 c-icap-module version: 0.5.4
c_icap crashes.
Hi chtsanti. I confirmed the issue fixed on 0.6.2 . Now I'm going to close this ticket. Thank you. syakesaba
The new c-icap-0.6.2 release should solve this issue.
The c-icap-modules-0.5.7 is released
The c-icap-0.6.2 is released
The c-icap-0.5.12 is released
c-icap=0.6.1 need a link to libmath "-lm"
The c-icap-modules-0.5.6 is released
The c-icap-0.5.11 is released
Hi, I sent the EICAR test "virus" to be scanned, but the result wasn't either "infected"/"clean", but rather a parsing failure. Is there a minimum for c-icap in order to parse the file? When I created a zip of this EICAR txt file plus some other, clean PDF, the scan worked and the virus was detected. When I sent just the clean PDF, no error. Any ideas why I get this error? Thanks, Child 2710347 STOPS getting requests now ... Child 2710347 waiting for a thread to accept more connections ... Get entity...
Hi, I sent the EICAR test "virus" to be scanned, but the result wasn't either "infected"/"clean", but rather a parsing failure. Is there a minimum for c-icap in order to parse the file? When I created a zip of this EICAR txt file plus some other, clean PDF, the scan worked and the virus was detected. When I sent just the clean PDF, no error. Any ideas why I get this error? Thanks, Child 2710347 STOPS getting requests now ... Child 2710347 waiting for a thread to accept more connections ... Get entity...
Hi everybody, I have a problem with c-icap and squid because i would like to change or to add an header. And it doesn't work ! Please help me ! I have this configuration between squid and c-icap. in squid.conf : icap_enable on adaptation_send_username on adaptation_send_client_ip on icap_service service_echo respmod_precache bypass=0 icap://10.0.0.1:1344/echo icap_service service_url_check reqmod_precache bypass=1 icap://10.0.0.1:1344/url_check adaptation_access service_url_check allow all adaptation_access...
Hello, Im using McAfee Endpoint Security Storage Protection
Hi, Could you tell me which product from McAfee/Trellix you are using? Thomas,
Attaching the communication.
c-icap-client not working with other icap servers
I have it installed but when i when i run it as a service i get the following: c-icap.service - C implementation of ICAP protocol Loaded: loaded (/usr/lib/systemd/system/c-icap.service; enabled; vendor preset: disabled) Active: inactive (dead) since Mon 2022-08-01 19:42:31 GMT; 3s ago Process: 1533662 ExecStart=/usr/bin/c-icap -f /etc/c-icap/c-icap.conf (code=exited, status=0/SUCCESS) Main PID: 1533662 (code=exited, status=0/SUCCESS) When i try to scan something i get: c-icap-client -i localhost...
Body adaption for FTP upload
c_icap server doesn't work with ipv4 address (FreeBSD13.0, c-icap 0.5.10)
EICAR.COM Exe not getting detected as Virus during C-ICAP Virus Scan
If you are using squidclamav then you should ask squidclamav author. This is a separate project which uses the c-icap server. Its official site is the following: https://squidclamav.darold.net/ The c-icap project has its own virus scan service, this is included in the c-icap-modules package. The c-icap-modules virus_scan service can not process POSTs requests at this time. It is a TODO however it is not a top priority at this time. If you are interested to sponsor this new feature you can contact...
Hi chtsanti , any plans to implement it? I am using c-icap/squidclamav/squid and have 0 content length in squidclamav_check_preview_handler.
Try to define an alias of virus_scan service. Just add the following in your virus_scan service configuration file: ServiceAlias SYMCScanResp-AV virus_scan I am not sure if this is will work however, it depends on the ICAP client you are trying to use.
If you use squidclamav then you need a service alias like the following: ServiceAlias SYMCScanResp-AV squidclamav For more squidclamav options you need help from squidclamav project.
Our requirement is to scan files for virus that we are uploading from our application, In our application we have option to configure antivirus server.
I am using c-icap with squidcalmav, A client which scan files for virus during uploading from our file manager.
Maybe I am able to help if you report the type of ICAP client you are using. IS this an HTTP proxy? A client which just scan files for viruses? Something else?
Try to define an alias of virus_scan service. Just add the following in your virus_scan service configuration file: ServiceAlias srv_clamav_req SYMCScanResp-AV I am not sure if this is will work however, it depends on the ICAP client you are trying to use.
Hi, Instead of SYMCScan can we use any other Antivirus. Can you let me know where to change it.
Hi @chtsanti Thank you for the reply. Can you let me know. How to include SYMCScanResp-AV in c-icap server and rectify the issue.
From the logs I am seeing that you are trying to access the ICAP service SYMCScanResp-AV which does not exist in your c-icap server.
Error SYMCScanResp-AV 404
Testing to upload (POST http method) same eicar file is NOT working The content types multipart/form-data and urlencode which in most cases are used in Post requests are not implemented i virus_scan service. In practice the REQMOD virus_scan is not implemented, The virus_scan service reports that the REQMOD supported because even if the POSTs requests can not be handled virus_scan REQMODs can be used for special applications.
REQMOD clamd analyse always OK
Any Update or Any Suggestion or Any Workaround?
Attached is the Client Output Screenshot that I am seeing with both working and non working Ciphers
Any Update Please? I am stuck with C-ICAP with TLS, Any Workaround?
C-ICAP Fails to communicate using TLS Ciphers ECDHE-RSA-AES128-GCM-SHA256 and ECDHE-RSA-AES256-GCM-SHA384
The c-icap-0.5.10 is released
The c-icap-0.5.10 is released
The c-icap-0.5.9 is released
Hi @jcalcote, I'm trying to setup an ICAP server for scanning files, so what are the pre-requisites required so that I'll be able to scan files? Will following the steps mentioned here work fine(i.e is downloading & installing the tar.gz enough)? Thanks!
clamd_mod unix domain socket do not work
The c-icap-modules-0.5.5 is released
The c-icap-0.5.8 is released
The c-icap-0.5.8 is released
Why does c-icap insist on being installed in /usr/local/c-icap? This creates the entire /usr directory structure (bin, lib, etc, share, man, etc) in /usr/local/c-icap, rather than installing the components into the already-existing /usr directory structure found in /usr/local. The default prefix for autoconf-generated configure scripts is /usr/local. Just don't specify a prefix and c-icap products will end up in the right place (for /usr/local).
C-icap modules install problem
c_icap compatability windows
I am getting an error while installing c_icap on windows 10 using cygwin C:/Program Files/GnuWin/make-3.81-bin/bin/make all-recursive make[1]: Entering directory C:/users/x/downloads/c_icap-0.5.6' Making all in . /usr/bin/sh: line 20: C:/Program: No such file or directory make[1]: *** [all-recursive] Error 1 make[1]: Leaving directoryC:/users/wijungle/downloads/c_icap-0.5.6' make: *** [all] Error 2
I am getting an error while installing c_icap on windows 10 using cygwin C:/Program Files/GnuWin/make-3.81-bin/bin/make all-recursive make[1]: Entering directory C:/users/wijungle/downloads/c_icap-0.5.6' Making all in . /usr/bin/sh: line 20: C:/Program: No such file or directory make[1]: *** [all-recursive] Error 1 make[1]: Leaving directoryC:/users/wijungle/downloads/c_icap-0.5.6' make: *** [all] Error 2
Fixed with commit 5e3d9600
Issue: ISTags are not qoted
The c-icap-0.5.7 is released
It is very difficult to understand what is going on here without the full ICAP conversation. For example a tcpdump of a request. Again, you can use my private mail if you do not want to send a such info to this public bug report. Sorry but it is not possible to fix this issue without enough info.
The client send preview in its request even if your c-icap did not advertise it in its OPTIONS response.
Hi Chtsanti, please find the attached, it always occur when i use the json in the attached.
By the way, i tried to disable the preview, but it does not seems to actually disable, even with the config i am still seeing the logs that it is previewing the data. The logs always show 1024 preview Fri Feb 7 11:27:22 2020, 21633/2627720960, Going to check request for access control restrictions Fri Feb 7 11:27:22 2020, 21633/2627720960, Access control: ALLOW Fri Feb 7 11:27:22 2020, 21633/2627720960, Request type: 4. Preview size:1024 Fri Feb 7 11:27:22 2020, 21633/2627720960, pool hits: 3 allocations:...
Disabling json response scanning only
The ICAP url used by Nika AA does not include any service name. It uses the ICAP URL icap://10.4.2.2:1344/ The c-icap does not know which service to use. Try to configure c-icap to use a default service using the DefaultService cfg parameger. For example add the following line to your c-icap.conf file: DefaultService echo
Nokia AA ICAP Server Health Check
Hi Chtsanti, Yes i tried disabling the preview, but i still get the same error.
In the server.log file you are posted I am seeing the following line: Thu Dec 12 14:33:20 2019, 20787/955094784, Error reading data (read return=-1, errno=0) There is a "read return=-1" which means read error, not a "return=1" which means I read one byte. Because of errno=0 this is probably means that the remote end closed the connection. Did you try to disable preview?
Hi Chtsanti, I am not sure.. the logs shows "Error reading data (read return=1, errno=0)" "Error reading data (read return=1, errno=0)" 'An Error occured. Parse error or the client closed the connection (res:-1, preview status:1)' I do not think this is due to the proxy closing the connection. I trust you however the information i have gotten seems to be some things is not able to be processed in c-icap... Is your development environment able to curl to the url while passing through c-icap?
The server.log shows that the other end (proxy server) closed the connection. So looks that there is something which does not like to the proxy. You may try to disable ICAP-preview if you think that this is the problem. Just add the following parameter to your c-icap.conf file, where you are declaring virus_scan service parameters: virus_scan.PreviewSize -
Hi Chtsanti, just thinking aloud, could it be because of the preview length, c-icap breaks the content body bit by bit, however it just happened to hit some special character when appending the next batch to process then it caused an error that makes it unable to process. - Tom
This is not a c-icap bug. The c-icap produces a valid HTTP/1.0 message. However there is not any reason for c-icap to sent back HTTP/1.0 messages. The only change which is required is to compute and add the Content-Length header with the HTTP message.
HTTP/1.0 messages generated by virus-scan
Hi Chtsanti, unfortunately i am not able to show the tcpdump information as my company policies forbid it. I have however able to share the server.logs, i have managed to identify the portion that is by the affected request, seems like there is some error encuntered. I have also shared the screenshot of where the message have been dropped(please find the attached). I am trying to curl to https://quay.io/api/v1/plans/ -L if you require the destination.
1) After i enable the debug level to 7, the content body is already 0. 2) Enabled, but apart from the logs showing the content body 0, there is not much information If you set c-icap debug level to 7 should exist enough lines in c-icap server.log file. Not only a record which shows the content-body as 0. I need the c-icap server.log to see if there is something strange. 3) I have identified that the content have been dropped halfway to the c-icap server, then the connection closes. Is close initiated...
Hi Chtsanti, Yes i am able to reproduce. This is consistent for some specific URLs only. I have identified where the issue broke with your suggestion. It seems that when the package was transfered to c-icap from my proxy, it was unable to finish sending. Could this be due to some encoding/decoding from c-icap? In replies to your above points 1) After i enable the debug level to 7, the content body is already 0. 2) Enabled, but apart from the logs showing the content body 0, there is not much information...
Yes the c-icap did not receive all of the body data and it sends only 25 bytes. Can you reproduce this issue? If yes then I would start from the followings: 1) Are there any messages in c-icap server.log file? 2) Enable c-icap debug. A debug level of 6 or 7 should include very usefull info. 3) wireshark dump of the proxy-to-server connection, to check which end initiated connection closure. 4) which is the proxy you are using? What are the proxy logs says anout? Is it possible to enable some debug...
I'm sorry to take so long to get back to you on this. Good point on the use of the ci_socket methods. Also, I think you are right that an EINPROGRESS response from the connect call is not handled properly. I will create a local bug report to track this. Have you made a corrected version of this fix in the code base? I'm not sure when I will get around to fixing this myself. -- Steve Koehler
Hi Chtsanti, Thank you for the reply. Below shows how the proxy configuration is routed. Client request -> proxy request-> server response-> proxy reponse ->(It seems that c-icap already not received the correct data which is suppose to be about 6300bytes) c-icap . I did with some other URL and it seems to receive the content-body which larger size and everything works just fine. It is only targeted at some URLs. I am relatively inexperience with ICAP protocol, would just need some light on where...
I can not understand if there is really a problem here or not. The most possible is that c-icap received about 3072 of body data and sent about 25 bytes back to proxy/client but then the proxy-to-c-icap connection is closed. There are many reasons why this connection is closed. Maybe proxy-to-remote-server connection is closed for a reason and this is forces proxy to close proxy-to-c-icap connection too.
C-ICAP drop body content
Nop.But in c-icap new release announcement there is a short list with the major changes: https://sourceforge.net/p/c-icap/news/2019/11/-the-c-icap-056-and-c-icap-modules-054-are-released/
is there a changelog somewhere? I need one for any official packaging for openSUSE...
There is a clamav_mod variable conflict with one declared inside libclamav. This is should be fixed at the latest c_icap_modules-0.5.4 release.
The c-icap-0.5.6 and c-icap-modules-0.5.4 are released
ClamAV 0.102 changed api AGAIN 0.o
Have you made a corrected version of this fix in the code base Nope. But compiling c-icap with openSSL-1.1.1 fixes this issue.
What regular expression to use to block any domain accessed? What regular expression to block extensions? --
In the master branch all the calls to sprintf, strcpy, strcat, ctime_r and asctime_r are replaced with the safer similar alternatives. You can check commits ee45def5, 7d36aa81, 5d2835ca and 8e87a694. These commits probably will not apeared to a c-icap-0.5.x release but will be included in the c-icap-0.6.x releases. During the checks for possible bugs at least three cases found where it is possible to cause buffer overflows. These are fixed with the c-icap master commits 673b61bb, b5ac639c and 211458fb....