Deny info virus block responce

Asked by John Bull

Alex,

I am successfully virus scanning using:
SL6 (RHEL6 Clone)
libecap-0.2.0
Squid 3.2.0.8
ecap_clamav_adapter-0.2.1

I am using squid logformat:
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt %adapt::<last_h

which provides the X-Virus-ID as follows:
192.168.0.119 TCP_MISS/403 4062 GET http://www.rexswain.com/eicar.zip - HIER_DIRECT/69.36.190.48 text/html X-Virus-ID:%20Eicar-Test-Signature%0D%0A

I am now not sure how to implement the blocking response. I have used Squid deny_info before, but I am not sure how to implement it in this case. Any deny_info examples would be very appreciated.

One additional question, what directory is use to perform the actual virus scan? Is this location configurable? I would like to move this location to a RAM drive.

Thank you,
John

Question information

Language:
English Edit question
Status:
Answered
For:
eCAP Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Alex Rousskov (rousskov) said :
#1

Squid's deny_info should work the same for requests blocked by native Squid ACLs and by eCAP adapters.

To specify where the temporary files should be stored, use the staging_dir adapter parameter. Here is the excerpt from the README file, which also specifies the default directory:

  staging_dir=PATTERN Where to put files for libclamav analysis. Libclamav
                       API requires us to store complete message bodies into
                       files before the analysis can start.
                       The specified pattern can be a directory name ending
                       with a slash or a filename prefix. If the pattern
                       does not end with an "X", The adapter appends
                       "XXXXXX" to allow for random file names. It may be a
                       good idea to use a RAM-based filesystem for the
                       staging directory to speedup I/O. The default is
                       /tmp/eclamavXXXXXX.

Revision history for this message
Yuri (yvoinov) said :
#2

Join to question.

How to pass X-Virus-ID into custom error page?

With example?

Can you help with this problem?

Provide an answer of your own, or ask John Bull for more information if necessary.

To post a message you must log in.