[squid-users] icap SOPHOS SAVDI and custom errorpage

David Webb d.webb at mdx.ac.uk
Tue Nov 10 16:05:17 UTC 2015


I've setup

squid -v
Squid Cache: Version 3.3.8

on RHEL 7.1

and have configured things so that  virus scanning with  Sophos' SAVDI 
works and can get to a custom error page however I can't seem to find 
anyway of getting the name of the detected virus passed across to the  
custom error page and displayed.

The appropriate part of my squid.conf  is


acl http_status_403 http_status 403
acl virus_found rep_header X-Blocked  -i \Virus found during virus scan\.
#
icap_enable on
adaptation_access  sophosicap  allow all
icap_service  sophosicap  respmod_precache icap://127.0.0.1:4020/sophos
http_reply_access deny http_status_403 virus_found
deny_info ERR_MDX_VIRUS_FOUND  virus_found

(I'm not sure if this is the best way of doing things but it was the 
only way I could find which worked.
The deny_info documentation 
http://www.squid-cache.org/Versions/v3/3.3/cfgman/deny_info.html
seemed to suggest that I could use the servicename sophosicap

"

The acl is typically the last acl on the http_access deny line which
	denied access. The exceptions to this rule are:
	- When Squid needs to request authentication credentials. It's then
	  the first authentication related acl encountered
	- When none of the http_access lines matches. It's then the last
	  acl processed on the last http_access line.
	- When the decision to deny access was made by an adaptation service,
	  the acl name is the corresponding eCAP or ICAP service_name.

"

but I couldn't work out how to get this to work.


  )

As I said though none of the custom errorpage variables from
http://wiki.squid-cache.org/Features/CustomErrors#ERR_.2A_template_codes_for_embedding
seem to get back the virus name from SAVDI.

The only place I have found the virus name reported is in the icap_log I 
setup  -
with format :

logformat icap_squid2 %ts.%03tu %6icap::tr %>a %icap::to/%03icap::Hs 
%icap::<st  %icap::rm %icap::ru %un -/%icap::<A - %icap::<h


1447168691.715     15 10.2.213.153 ICAP_MOD/200 703 RESPMOD 
icap://127.0.0.1:4020/sophos - -/127.0.0.1 - 
ISTag:%20%221-02-3-60-0-5-20-231-462227D3%22%0D%0AService:%20Sophos%20Anti-Virus%20SAVDI/ICAP%0D%0ADate:%20Tue,%2010%20Nov%202015%2015:18:11%20GMT%0D%0AX-HRESULT:%2000040203%0D%0AX-Virus-ID:%20EICAR-AV-Test%0D%0AX-Infection-Found:%20Type=0;%20Resolution=2;%20Threat=EICAR-AV-Test;%0D%0AX-Violations-Found:%201%0D%0A%20%20%20%20%20%20-%0D%0A%20%20%20%20%20%20EICAR-AV-Test%0D%0A%20%20%20%20%20%20-%0D%0A%20%20%20%20%20%200%0D%0AEncapsulated:%20res-hdr=0,%20null-body=345%0D%0A


Is there anyway of getting this reported virusname (Virus-ID)  into the 
custom error page ?
Has anyone else got SAVDI working with Squid icap ?


Thanks


-- 

David Webb  (CISSP-ISSAP)
Information Systems Security Architecture Professional
IT Security team leader
CCSS
Middlesex University




---------------------------------------------------------------------------


Please note that Middlesex University's preferred way of receiving all correspondence is via email in line with our Environmental Policy. All incoming post to Middlesex University is opened and scanned by our digital document handler, CDS, and then emailed to the recipient.
 
If you do not want your correspondence to Middlesex University processed in this way please email the recipient directly. Parcels, couriered items and recorded delivery items will not be opened or scanned by CDS.  There are items which are "exceptions" which will be opened by CDS but will not be scanned a full list of these can be obtained by contacting the University.



More information about the squid-users mailing list