clamavtechnical

The Antivirus (virus_scan) service

Web objects scanning model

Currently there are the following options for virus_scan service:

• c-icap can configured to wait for all the data of the downloaded object received, then c-icap scan it and if a virus found then a page which informs the user returned. Otherwise the dowloaded object sent as is to the user's web browser. You can define the maximum size of downloaded objects.
• c-icap can configured to sends only a small percentage of the incoming data (e.g. 1% of the incoming data) that it receives, to user's client. When all the data has been received, they are scanned for viruses. If a virus found, no more data are sent to the user's web browser (but attention! maybe the virus contained in the data which c-icap already sent to the user!). Otherwise the remaining data send to the client.
• c-icap can configured to use a "viralator like" mode (look here for real viralator). In this mode the c-icap sends to the user's web client messages about the progress of download. After the download completed it sends a message with the web location where the downloaded file stored.

Someone can use a combination of previous modes.
The "viralator like" mode has the disadvantage that when a download stops for a reason can not be resumed. The real viralator has not this problem because uses the wget downloader. However c-icap can recognize the file types looking in their contents. Viralator uses squid's redirector which decide for filetype using file extension (Maybe a redirector as a service in c-icap?).

Antivirus engines

The virus_scan service can work with multiple antivirus engines, which integrated to virus_scan service as external modules. Currently the following antivirus engines modules distributed with c-icap-service package:

• clamav, which uses the libclamav library
• clamd, which uses the clamav clamd daemon for scanning downloaded objects