Re: [squid-users] c-icap + squid 3.0, StartSendPercentDataAfter lets viruses through from Amos Jeffries on 2010-02-04 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 05 Feb 2010 11:26:48 +1300

Fredrik Ax wrote:
> Hi,
>
> This might be a bug/"feature" of the c-icap + squid 3.0 combination,
> but I'm not sure that it might not be some kind of miss-configuration
> on my behalf, so I therefore figured I'd try this list and see if
> somebody else have run into this.
>
> To sum it up: When using the c-icap clamav service with squid and you
> are downloading a file larger then the in c-icap.conf set
> srv_clamav.StartSendPercentDataAfter threshold and the virus signature
> is found after c-icap has started to "trickle" out data, the entire
> file including the virus signature is let through.
>
> Testing this I used
> c-icap version 20080706rc3-1 from the Debian amd64 Squeeze archive, and
> squid 3.0.STABLE19-1 from the same archive.
>
> The file I'm testing with is basically a 3MB file with the eicar.com virus
> signature appended to it. clamscan finds it infected.
>
> When setting the srv_clamav.StartSendPercentDataAfter option to 3M or more
> I get a 403 from squid and the c-icap logs says:
> <date>, general, VIRUS DETECTED: Eicar-Test-Signature.
>
> When setting the srv_clamav.StartSendPercentDataAfter option to 2M the
> file starts downloading and I receive the entire file, including the
> last bytes containing the eicar.com signature.
> The c-icap logs says:
> <date>, general, VIRUS DETECTED: Eicar-Test-Signature.
> <date>, general, Simply no other data sent
>
> Thus, it seems that c-icap finds the virus, but still sends the entire
> file on to squid, instead of aborting somehow.
>
> I've run several tests with debug level 3 in c-icap and the squid
> cache erased between tests. All with the same result and no further
> info available in the logs.
>
> Please feel free to ask if you want more info, my config files, etc.
>
> Thanks in advance,
> Fredrik Ax <frax_at_axnet.nu>
>

Well yes. You have configured c-icap to send a file through. It's going
to get through.
Any content alteration is up to the ICAP server. Squid passes on what it
receives back.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
   Current Beta Squid 3.1.0.16

Received on Thu Feb 04 2010 - 22:26:56 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 05 2010 - 12:00:04 MST