Menu

ModulesConfiguration

chtsanti

The '''virus_scan''' service

How it works

Currently there are the following working modes for ''virus_scan'' service:

  • c-icap can configured to wait for all the data of the downloaded object received, then c-icap scan it and if a virus found then a page which informs the user returned. This mode has the disadvantage that the HTTP client to proxy connection may expire while waiting for incoming data.
  • c-icap can configured to send only a small percentage of the incoming data (e.g. 1% of the incoming data) that it receives, to user's client. When all the data has been received, they are scanned for viruses. If a virus found, no more data are sent to the user's web browser (but attention! maybe the virus contained in the data c-icap already sent to the user!). In other ICAP servers this feature is known as '''data trickling'''.
  • c-icap can configured to use a "viralator like" mode (look here for real viralator). In this mode the c-icap send's to the user's web client messages about the progress of download. After the download completed it sends a message with the web location where the downloaded file stored. This mode has the disadvantage that when a download stops for a reason can not be resumed.

Someone can use a combination of previous modes.

Short instructions

  • Edit the following line in your c-icap.conf file:

    Include virus_scan.conf

  • Edit the virus_scan.conf file installed under your c-icap etc directory to adjust configuration to your needs. At the end of virus_scan.conf file uncomment one of the following lines, depending of the virus engine you want to use:

    #Include clamd_mod.conf
#Include clamav_mod.conf

  • Edit the clamd_mod.conf or the clamav_mod.conf file to edjust to your needs

Configuration notes

The configuration parameters which are important to select the various scanning modes are:

  • virus_scan.ScanFileTypes, defines the file types which will be scanned for viruses
  • virus_scan.SendPercentData, configures the percentage of data to be send to the user client.
  • virus_scan.StartSendPercentDataAfter, start send data to the user client, after ICAP server receives this size of data.
  • virus_scan.MaxObjectSize, larger objects will not be scanned.
  • virus_scan.VirScanFileTypes, defines the file types which will be scanned using the "viralator mode"

Assume you want to configure virus_scan service according to the following rules:

  1. scan files which have maximum size of 15 Megabytes, else ignore them.
  2. if the objects are smaller than 2Mbytes the c-icap should wait to receive the overall object, scan it for virus and if a virus found send an error page to user
  3. if the objects are larger than 2Mbytes start send to the user client the 1% of the data the c-icap server receives. If a virus found only the 1% of the object will have sent to the user client.

  4. scan only HTML files (which are of type TEXT), binary data, executables, archives (tar, zip, etc), and microsoft office files.
    You should use the following configuration parameters:

    virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE MSOFFICE
virus_scan.SendPercentData 1
virus_scan.StartSendPercentDataAfter 2M 
virus_scan.MaxObjectSize  15M

For more informations about virus_scan service configuration parameters visit the service configuration reference.

Selecting virus scan engine to use

The virus scan engines loaded as external modules to c-icap. Currently the clamd_mod engine, which uses the clamd daemon to scan data, and the clamav_mod engine, which uses the libclamav are supported. Other engines (commercial, or open source can be easily supported).

To load clamd_mod engine, and configure it to use the /var/run/clamav/clamd.ctl socket use:

Module common clamd_mod.so
clamd_mod.ClamdSocket /var/run/clamav/clamd.ctl

In the case more than one engines are loaded to your c-icap server you can use the '''virus_scan.DefaultEngine''' to select the engine to use:

virus_scan.DefaultEngine clamd

Using profiles for virus_scan service

It is possible to use different configuration settings for different ICAP requests. This is can be done using virus_scan profiles feature. To enable and use profiles for virus_scan service follow instructions in virus_scan profiles page

WARNING! Using profiles in virus_scan service may open serious security hole in your http cache systems. Wrong configuration can allow viruses stored in your web cache. Do not enable/use profiles in virus_scan service unless you are sure what you are doing. Please refer to "Problems/Bugs" paragraph.

The srv_url_check filtering service

This is an URL blacklist/whitelist icap service, to control web access for users or group, based on URL lists stored on lookup-tables or in SquidGaurd databases.

Short instructions

  • Read the 'Using srv_url_check profiles' wiki page for an example configuration.

  • Edit the following line in your c-icap.conf file:

    Include srv_url_check.conf

  • Edit the srv_url_check.conf file installed under your c-icap etc directory to adjust configuration to your needs.

Configuration notes

Important configuration parameters are:

  • ''url_check.LookupTableDB'' Defines a URL list based on c-icap lookup table
  • ''url_check.LoadSquidGuardDB'' Defines a URL list based on SquidGuard database
  • ''url_check.Profile'' Configure URL lists for a profile.
  • ''url_check.ProfileAccess'' Use acls to assign a profile to group

The 'Using srv_url_check profiles' wiki page describes an example configuration.

Related

Wiki: UrlCheckProfiles
Wiki: configcicap
Wiki: virus_scan_profiles

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.