[squid-users] blocking certain file types by content
Yuri Voinov
yvoinov at gmail.com
Mon Dec 14 09:19:08 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
14.12.15 11:57, Amos Jeffries пишет:
> On 14/12/2015 10:39 a.m., Markus wrote:
>> Yuri Voinov wrote:
>>
>>> Think more. ALL ICAP solutions checks content. Diladele is not only
solution which checks content.
>> [...]
>>
>>> You really think executable files can have only known extension?
>>
>>
>> My way of thinking was like that:
>> instead of testing with AV each .exe or .zip file better block it out
>> (except for whitelist domains). Because testing with AV needs CPU/RAM.
>> But as we already established - executables can be downloaded as JPG
>> /TXT or whatever. If so - AV makes only sense if we test every kind of
>> extensions/streams. Right?
>
> Correct.
>
>>
>> let's consider such possible case:
>>
>> here we have putty.exe (without virus ;-) , but saved as txt file:
>>
>> http://6web.pl/~mserafin/putty.txt
>>
>> now we can just download it and change extension for exe. My question
is -
>> can ICAP-Clamav detect that it's windows executable and block it?
>> (even without testing against viruses)?
>
>
> You are making the mistake of thinking of
> "http://6web.pl/~mserafin/putty.txt" as a file. There is no concept of
> "file" in HTTP and thus also no "file extension".
> It might be one for this case, but while it is in HTTP it ceases acting
> like one.
>
> The reality is that "http://6web.pl/~mserafin/putty.txt" is just a
> resource locator;
> * It has no guaranteed relationship to the actual delivered content
> type, and
> * there may be a file involved - or not, and
> * any file which is involved may exist at that location on the server -
> or somewhere else (even another server), and
> * the response to that URL may be a singular object, multi-part
> response with multiple objects, a 206 partial object or network
> generated 3xx-5xx objects.
>
>
>>
>> and here more complicated case:
>>
>> http://6web.pl/~mserafin/putty_zip.txt (it's a regular ZIP file with
>> putty.exe inside)
>>
>>
>> Can ICAP-Clamav deal with it?
>
> Good question. For the two simplistic cases you describe the answer is
> probably yes - if we assume the responses are whole files.
>
> Clamav insists on saving objects to disk to scan them fully, or at least
> the initial bytes of the object. It is a little restricted in that way.
>
> Other AV might do better with the more complicated HTTP response cases,
> or they might not. I'm not familiar with how each works. I just know
> that clamav is designed as a file-based scanner. Other AV have
No. Clamav use INSTREAM API for scanning. I-CAP based squidclamav
utilizes it for years.
>
> designed-in ICAP services, so may work better (but costly).
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJWbomMAAoJENNXIZxhPexGdEAH/ixLaaqMjogpgd0cnVqQELTs
GCQAbHKb0IEujv7ZNGRr00DeUiPMA7AlZ4FzC7G/MZmV8hI4RU7m6f3negJUpeIf
w20gcq6MCc1lorHB5emvaYw2RLbDAiiLdVzcNBDWbntqjRyd3FiOPcf+w27ch47R
8gaDIyViqs/ndJOp85AtjTMifWR7KCE61utKS4+VBO44KHdPbiZXa6PnzsLUdeYq
+iXrxWzjTduf8iq1QkL8z6Ms1Gk0ApwtSemJD8sJCR7drOfj5azepOFhQNIvwS1Z
YUMH/AyBpsPTpy+TG3vEJfloppztm6l1gT4nppFN4HaJHFmMXoj0Wn0MB5AYNeQ=
=AnSo
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list