<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a class="moz-txt-link-freetext" href="http://squidclamav.darold.net/config.html">http://squidclamav.darold.net/config.html</a><br>
<br>
<h4 style="font-family: 'Trebuchet MS', Arial, Helvetica,
sans-serif; margin: 0px; padding: 0px; font-weight: bold; color:
rgb(0, 0, 0); font-size: 12px; font-style: normal; font-variant:
normal; letter-spacing: normal; line-height: normal; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(239, 239,
239);">Trust your cache (obsolete/unused in v6.x)</h4>
<p style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif;
line-height: 14px; color: rgb(30, 30, 30); font-size: 12px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(239, 239, 239);">One of the main
configuration directive for performance improvement is
'trust_cache'. SquidClamav detect if the file to download is
already stored in Squid cache. If you activate 'trust_cache',
SquidClamav will not scan a file comming from Squid cache as it
may have already been scanned during the first download. If
trust_cache is disabled, no matter if the file is stored in the
cache, SquidClamav will rescan the same file at each client
request. I really recommand you to activate this directive.</p>
<pre style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif; color: rgb(30, 30, 30); font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(239, 239, 239);"> trust_cache 0
</pre>
<p style="font-family: 'Trebuchet MS', Arial, Helvetica, sans-serif;
line-height: 14px; color: rgb(30, 30, 30); font-size: 12px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(239, 239, 239);">Trusted cache is disable by
default as you may want to start with a fresh cache.</p>
<br>
Why you need rescan cached object again? You don't trust your cache?
Or what?<br>
<br>
<div class="moz-cite-prefix">18.05.15 17:17, Stefan Kuegler пишет:<br>
</div>
<blockquote cite="mid:E1YuJ3E-00HD0Y-7j@intern.SerNet.DE"
type="cite">Hi Yuri.
<br>
<blockquote type="cite">
<br>
<a class="moz-txt-link-freetext" href="http://i.imgur.com/mW7gNwD.png">http://i.imgur.com/mW7gNwD.png</a>
<br>
<br>
<a class="moz-txt-link-freetext" href="http://squidclamav.darold.net/config.html">http://squidclamav.darold.net/config.html</a>
<br>
<br>
This is for squidclamav (I use it and have no problems with
malware).
<br>
</blockquote>
<br>
I just installed squidclamav - but the behaviour is always the
same. An object which has been stored in squid-cache will not be
detected by an icap server because squid does not scan the body
again:
<br>
<br>
squidclamav.c(283) squidclamav_init_request_data: DEBUG
initializing request data handler.
<br>
pool hits:5 allocations: 1
<br>
Allocating from objects pool object 0
<br>
Requested service: squidclamav
<br>
squidclamav.c(337) squidclamav_check_preview_handler: DEBUG
processing preview header.
<br>
squidclamav.c(358) squidclamav_check_preview_handler: DEBUG
X-Client-IP: 192.168.216.54
<br>
squidclamav.c(1319) extract_http_info: DEBUG method GET
<br>
squidclamav.c(1330) extract_http_info: DEBUG url
<a class="moz-txt-link-freetext" href="http://www.intern/eicar_com.zip">http://www.intern/eicar_com.zip</a>
<br>
squidclamav.c(389) squidclamav_check_preview_handler: DEBUG URL
requested: <a class="moz-txt-link-freetext" href="http://www.intern/eicar_com.zip">http://www.intern/eicar_com.zip</a>
<br>
squidclamav.c(430) squidclamav_check_preview_handler: DEBUG
Content-Length: 0
<br>
squidclamav.c(449) squidclamav_check_preview_handler: DEBUG No
body data, allow 204
<br>
squidclamav.c(304) squidclamav_release_request_data: DEBUG
Releasing request data.
<br>
Storing to objects pool object 0
<br>
Log request to access log file /var/log/c-icap/access.log
<br>
Width: 0, Parameter:
<br>
<br>
Any idea, how I can solve that problem. It seems that the only way
to be secure is to disable caching in squid. But I hope, this
can't be the solution.
<br>
<br>
Regards,
<br>
Stefan
<br>
<blockquote type="cite">
<br>
05.05.15 17:45, Stefan Kügler пишет:
<br>
<blockquote type="cite">Hi Yuri.
<br>
<br>
Am 05.05.2015 um 12:51 schrieb Yuri Voinov:
<br>
<blockquote type="cite">This is not squid issue but your AV
engine library or ICAP intermediate
<br>
AV library configuration.
<br>
</blockquote>
<br>
Thank you for your answer.
<br>
<br>
Can you explain me a litte bit more detailed why this is not a
squid
<br>
</blockquote>
issue?
<br>
<blockquote type="cite">
<br>
In the icap-logfile, I can see a REQMOD-request _AND_ a
<br>
</blockquote>
RESPMOD-request to the icap-server if the object is not in
cache.
<br>
<blockquote type="cite">
<br>
But - if the object is in cache - I can only see a
REQMOD-request to
<br>
</blockquote>
the icap-server. I am missing RESPMOD.
<br>
<blockquote type="cite">
<br>
It seems to me, that it is a decision of the client (squid)
which
<br>
</blockquote>
request (REQMOD or RESPMOD) will be send to the icap-server
(AV-scanner)
<br>
- and not a decision of the av-library.
<br>
<blockquote type="cite">
<br>
Regards, Stefan
<br>
<br>
<blockquote type="cite">
<br>
05.05.15 16:43, Stefan Kügler пишет:
<br>
<blockquote type="cite">Hello.
<br>
<br>
<br>
I have a short question using squid as an ICAP-client.
<br>
<br>
<br>
It seems that squid doesn't send an already downloaded
(and cached)
<br>
object to an ICAP-server.
<br>
<br>
Here is a short description what I have done:
<br>
<br>
1. downloading a word-document with a macro-virus. The
Virus-scanner
<br>
(ICAP-server) uses an old pattern-file and does not detect
the virus.
<br>
<br>
The object is now in cache.
<br>
<br>
2. updating the virus-scanner to the newest pattern-file.
The
<br>
virus-scanner will now detect the macro virus.
<br>
<br>
3. downloading the same word-document. The object has been
delivered
<br>
to the client without a new virus scan.
<br>
<br>
<br>
<br>
And now some log-entries:
<br>
<br>
1. First download of the word document:
<br>
<br>
access.log:
<br>
2015-05-05 12:23:52 144 192.168.2.54 TCP_MISS/200
553301 GET
<br>
<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a> - HIER_DIRECT/193.175.80.229
<br>
application/msword
<br>
<br>
icap.log:
<br>
2015-05-05 12:23:52 5 192.168.2.54 ICAP_ECHO/204 135
REQMOD
<br>
icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
<br>
2015-05-05 12:23:52 130 192.168.2.54 ICAP_MOD/200
553897 RESPMOD
<br>
icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
<br>
<br>
AV-Scanner:
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Starting
<br>
ICAP request decoding
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Request
<br>
message decoded in 1 chunks
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Finished
<br>
ICAP request decoding
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Starting
<br>
ICAP request processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Starting
<br>
service processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
REQMOD
<br>
processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Resource at
<br>
<GET <a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a> HTTP/1.1> has no
body to be scanned
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Finished
<br>
service processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
The request
<br>
for URI '<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a>' was allowed (Reason:
'Clean'.
<br>
Details: '')
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Create
<br>
response headers type: CLEAN 204
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Send headers
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Finished
<br>
ICAP request processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D2B0700] INFO:
Core library
<br>
session cleared
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO:
Connection
<br>
closed by foreign host while waiting for requests
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24D1AF700] INFO:
Core library
<br>
session cleared
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Starting
<br>
ICAP request decoding
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Request
<br>
message decoded in 259 chunks
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Finished
<br>
ICAP request decoding
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Starting
<br>
ICAP request processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Starting
<br>
service processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
RESPMOD
<br>
processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Starting
<br>
virus scanning for resource at: <GET
<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a>
<br>
HTTP/1.1>
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Starting
<br>
virus scanning for resource at: <GET
<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a>
<br>
HTTP/1.1>
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
<br>
[service_scanner]File 'virus.doc' content is stored in
<br>
'/var/spool/avira-icap/icap-tmp.6baFv3'
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Finished
<br>
service processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
The request
<br>
for URI '<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a>' was allowed (Reason:
'Clean'.
<br>
Details: '')
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Create
<br>
response headers type: CLEAN
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Adding HTTP
<br>
headers for response type: CLEAN
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Send headers
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Send the
<br>
original body (552960 bytes)
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Finished
<br>
ICAP request processing
<br>
May 5 12:23:52 sk1 av-icapd[12412]: [7FD24CFAD700] INFO:
Core library
<br>
session cleared
<br>
<br>
<br>
<br>
<br>
<br>
2. Second download of the word document (after the
pattern-update):
<br>
<br>
access.log:
<br>
2015-05-05 12:27:43 35 192.168.2.54 TCP_MEM_HIT/200
553309 GET
<br>
<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a> - HIER_NONE/-
application/msword
<br>
<br>
icap.log:
<br>
2015-05-05 12:27:43 2 192.168.2.54 ICAP_ECHO/204 135
REQMOD
<br>
icap://127.0.0.1:1344/service_scanner - -/127.0.0.1 -
<br>
<br>
AV-Scanner:
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Starting
<br>
ICAP request decoding
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Request
<br>
message decoded in 1 chunks
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Finished
<br>
ICAP request decoding
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Starting
<br>
ICAP request processing
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Starting
<br>
service processing
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
REQMOD
<br>
processing
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Resource at
<br>
<GET <a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a> HTTP/1.1> has no
body to be scanned
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Finished
<br>
service processing
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
The request
<br>
for URI '<a class="moz-txt-link-freetext" href="http://www.intern/virus.doc">http://www.intern/virus.doc</a>' was allowed (Reason:
'Clean'.
<br>
Details: '')
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Create
<br>
response headers type: CLEAN 204
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Send headers
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Finished
<br>
ICAP request processing
<br>
May 5 12:27:43 sk1 av-icapd[12412]: [7FD24C4A2700] INFO:
Core library
<br>
session cleared
<br>
<br>
<br>
And now my question: Is this a bug in squid - or is it
possible to
<br>
tell squid to send already cached object to the
icap-server?
<br>
<br>
Kind regards,
<br>
<br>
Stefan Kuegler
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
</blockquote>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBCAAGBQJVSNkvAAoJENNXIZxhPexGsh8IAJGL1gSY3rzshF+BeHmsqZIJ
<br>
4L0y2fjrQ66Q8Jz8fKk5saSemIdDRigH0fPAt4Bbb8cVnMcniP09cZ/lspaz3NxA
<br>
blodVyDYSLnmWIYzFfg19nd3UWDgIq4yOz3/rXCmHEkQ5sXrJQhJeP4Azeyez4Zj
<br>
Qef9ae75cbHexa12U8KERr9SDSnN18tRt4SPz8ZRaoYsoqIC4WRfkO8a0NPfHJp0
<br>
cYVj8pwHwbz5TPzYpPrGRR/rPbeO5FOVlIDVrxdHbafLjeYofVR8UOnKn67dxIVu
<br>
MJuunsVNtbPaWcDaGkUQ5Z8vvebGDB3pRPNm8XHXp7idGoDTQFJ6JbdK7ofA6do=
<br>
=VGI/
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</blockquote>
<br>
Viele Grüße - Stefan Kügler
<br>
SerNet GmbH
<br>
</blockquote>
<br>
</body>
</html>