Menu

#18 REQMOD clamd analyse always OK

v1.0_(example)
open
chtsanti
reqmod (1) clamd (1)
1
2022-03-09
2022-02-03
Anonymous
No

Hello,

I want to use clamav and c-icap on a red hat 8 server as icap antivirus for a bigip f5. Installation and configuration is done without problem, I use clamd module to call clamd from c-icap when an icap request is received.

Tests are done using a basic web server, F5 is configured to user icap server with same URI for reqmod and respmod request (default avscan service alias, also tried some custom service alias).

Testing to download (get http method) an eicar file is working. C-icap use method respmod and send the virus found page to the F5. We can see in log that c-icap save the file to analyse as tmp file, clamd scan this file and found eicar.

Testing to upload (POST http method) same eicar file is NOT working. Icap use method reqmod, I can see in log that c-icap receive a reqmod request, save the file to analyse as tmp file (same process as respmod) and call clamd to scan the file but clamd says that the file is OK. So no virus found message is send to the F5. Using wireshark I can see that the eicar content file is send to c-icap.
I cannot check the content of tmp file as it quickly deleted by c-icap.

Using c-icap-client I can see that method respmod and reqmod are implemented on my c-icap server.

How to configure c-icap / clamav for a good testing in both way (downlad and upload) ?

Thank you.

Discussion

  • chtsanti

    chtsanti - 2022-02-03

    Testing to upload (POST http method) same eicar file is NOT working

    The content types multipart/form-data and urlencode which in most cases are used in Post requests are not implemented i virus_scan service.

    In practice the REQMOD virus_scan is not implemented, The virus_scan service reports that the REQMOD supported because even if the POSTs requests can not be handled virus_scan REQMODs can be used for special applications.

     

    • Anonymous

      Anonymous - 2022-03-05
      Post awaiting moderation.

  • Anonymous

    Anonymous - 2022-03-05

    Hi chtsanti ,
    any plans to implement it?
    I am using c-icap/squidclamav/squid and have 0 content length in squidclamav_check_preview_handler.

     

    • chtsanti

      chtsanti - 2022-03-09

      If you are using squidclamav then you should ask squidclamav author. This is a separate project which uses the c-icap server. Its official site is the following:
      https://squidclamav.darold.net/

      The c-icap project has its own virus scan service, this is included in the c-icap-modules package. The c-icap-modules virus_scan service can not process POSTs requests at this time.
      It is a TODO however it is not a top priority at this time.

      If you are interested to sponsor this new feature you can contact me privately.

      Regards,
      Christos

       

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB