[squid-users] blocking certain file types by content

Yuri Voinov yvoinov at gmail.com
Mon Dec 14 09:19:08 UTC 2015

Hash: SHA256

14.12.15 11:57, Amos Jeffries пишет:
> On 14/12/2015 10:39 a.m., Markus wrote:
>> Yuri Voinov wrote:
>>> Think more. ALL ICAP solutions checks content. Diladele is not only
solution which checks content.
>> [...]
>>> You really think executable files can have only known extension?
>> My way of thinking was like that:
>> instead of testing with AV each .exe or .zip file better block it out
>> (except for whitelist domains). Because testing with AV needs CPU/RAM.
>> But as we already established - executables can be downloaded as JPG
>> /TXT or whatever. If so - AV makes only sense if we test every kind of
>> extensions/streams. Right?
> Correct.
>> let's consider such possible case:
>> here we have putty.exe (without virus ;-) , but saved as txt file:
>> http://6web.pl/~mserafin/putty.txt
>> now we can just download it and change extension for exe. My question
is -
>> can ICAP-Clamav detect that it's windows executable and block it?
>> (even without testing against viruses)?
> You are making the mistake of thinking of
> "http://6web.pl/~mserafin/putty.txt" as a file. There is no concept of
> "file" in HTTP and thus also no "file extension".
> It might be one for this case, but while it is in HTTP it ceases acting
> like one.
> The reality is that "http://6web.pl/~mserafin/putty.txt" is just a
> resource locator;
>  * It has no guaranteed relationship to the actual delivered content
> type, and
>  * there may be a file involved - or not, and
>  * any file which is involved may exist at that location on the server -
> or somewhere else (even another server), and
>  * the response to that URL may be a singular object, multi-part
> response with multiple objects, a 206 partial object or network
> generated 3xx-5xx objects.
>> and here more complicated case:
>> http://6web.pl/~mserafin/putty_zip.txt   (it's a regular ZIP file with
>> putty.exe inside)
>> Can ICAP-Clamav deal with it?
> Good question. For the two simplistic cases you describe the answer is
> probably yes - if we assume the responses are whole files.
> Clamav insists on saving objects to disk to scan them fully, or at least
> the initial bytes of the object. It is a little restricted in that way.
> Other AV might do better with the more complicated HTTP response cases,
> or they might not. I'm not familiar with how each works. I just know
> that clamav is designed as a file-based scanner. Other AV have
No. Clamav use INSTREAM API for scanning. I-CAP based squidclamav
utilizes it for years.
> designed-in ICAP services, so may work better (but costly).
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

Version: GnuPG v2

More information about the squid-users mailing list