[squid-users] blocking certain file types by content

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 14 05:57:16 UTC 2015 

On 14/12/2015 10:39 a.m., Markus wrote:
> Yuri Voinov wrote:
> 
>> Think more. ALL ICAP solutions checks content. Diladele is not only solution which checks content.
> [...]
> 
>> You really think executable files can have only known extension?
> 
> 
> My way of thinking was like that:
> instead of testing with AV each .exe or .zip file better block it out
> (except for whitelist domains). Because testing with AV needs CPU/RAM.
> But as we already established - executables can be downloaded as JPG
> /TXT or whatever. If so - AV makes only sense if we test every kind of
> extensions/streams. Right?

Correct.

> 
> let's consider such possible case:
> 
> here we have putty.exe (without virus ;-) , but saved as txt file:
> 
> http://6web.pl/~mserafin/putty.txt
> 
> now we can just download it and change extension for exe. My question is -
> can ICAP-Clamav detect that it's windows executable and block it?
> (even without testing against viruses)?


You are making the mistake of thinking of
"http://6web.pl/~mserafin/putty.txt" as a file. There is no concept of
"file" in HTTP and thus also no "file extension".
It might be one for this case, but while it is in HTTP it ceases acting
like one.

The reality is that "http://6web.pl/~mserafin/putty.txt" is just a
resource locator;
 * It has no guaranteed relationship to the actual delivered content
type, and
 * there may be a file involved - or not, and
 * any file which is involved may exist at that location on the server -
or somewhere else (even another server), and
 * the response to that URL may be a singular object, multi-part
response with multiple objects, a 206 partial object or network
generated 3xx-5xx objects.


> 
> and here more complicated case:
> 
> http://6web.pl/~mserafin/putty_zip.txt   (it's a regular ZIP file with
> putty.exe inside)
> 
> 
> Can ICAP-Clamav deal with it?

Good question. For the two simplistic cases you describe the answer is
probably yes - if we assume the responses are whole files.

Clamav insists on saving objects to disk to scan them fully, or at least
the initial bytes of the object. It is a little restricted in that way.

Other AV might do better with the more complicated HTTP response cases,
or they might not. I'm not familiar with how each works. I just know
that clamav is designed as a file-based scanner. Other AV have
designed-in ICAP services, so may work better (but costly).

Amos

More information about the squid-users mailing list