[squid-users] c-icap + squid 3.0, StartSendPercentDataAfter lets viruses through

From: Fredrik Ax <frax_at_axnet.nu>
Date: Thu, 4 Feb 2010 15:06:19 +0100

Hi,

This might be a bug/"feature" of the c-icap + squid 3.0 combination,
but I'm not sure that it might not be some kind of miss-configuration
on my behalf, so I therefore figured I'd try this list and see if
somebody else have run into this.

To sum it up: When using the c-icap clamav service with squid and you
are downloading a file larger then the in c-icap.conf set
srv_clamav.StartSendPercentDataAfter threshold and the virus signature
is found after c-icap has started to "trickle" out data, the entire
file including the virus signature is let through.

Testing this I used
c-icap version 20080706rc3-1 from the Debian amd64 Squeeze archive, and
squid 3.0.STABLE19-1 from the same archive.

The file I'm testing with is basically a 3MB file with the eicar.com virus
signature appended to it. clamscan finds it infected.

When setting the srv_clamav.StartSendPercentDataAfter option to 3M or more
I get a 403 from squid and the c-icap logs says:
<date>, general, VIRUS DETECTED: Eicar-Test-Signature.

When setting the srv_clamav.StartSendPercentDataAfter option to 2M the
file starts downloading and I receive the entire file, including the
last bytes containing the eicar.com signature.
The c-icap logs says:
<date>, general, VIRUS DETECTED: Eicar-Test-Signature.
<date>, general, Simply no other data sent

Thus, it seems that c-icap finds the virus, but still sends the entire
file on to squid, instead of aborting somehow.

I've run several tests with debug level 3 in c-icap and the squid
cache erased between tests. All with the same result and no further
info available in the logs.

Please feel free to ask if you want more info, my config files, etc.

Thanks in advance,
Fredrik Ax <frax_at_axnet.nu>

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Received on Thu Feb 04 2010 - 14:07:15 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 05 2010 - 12:00:04 MST