How to configure exclusion list for ecap_clamav_adapter?

Asked by Yuri on 2015-02-27

One simple question.

How to configure exclusion list for ecap_clamav_adapter?

For excluding files/mime types, URLS, etc from scanning?

Question information

Language:
English Edit question
Status:
Answered
For:
eCAP Edit question
Assignee:
No assignee Edit question
Last query:
2015-02-28
Last reply:
2015-03-02
Alex Rousskov (rousskov) said : #1

AFAICT, libclamav does not support a configurable exclusion list. The eCAP ClamAV adapter itself supports exclusions based on size only (see huge_size in README).

I suggest using your host application configuration mechanisms (e.g., adaptation_access in squid.conf) to exclude certain traffic from reaching your ClamAV eCAP service.

Yuri (yvoinov) said : #2

Sure.

Just look at this:

acl bypass_scan_types_req req_mime_type -i ^text/
acl bypass_scan_types_req req_mime_type -i ^application/x-javascript
acl bypass_scan_types_req req_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_req req_mime_type -i ^image/
acl bypass_scan_types_req req_mime_type -i ^video
acl bypass_scan_types_req req_mime_type -i ^audio
acl bypass_scan_types_req req_mime_type -i ^.*application\/x-mms-framed.*$

acl bypass_scan_types_rep rep_mime_type -i ^text/
acl bypass_scan_types_rep rep_mime_type -i ^application/x-javascript
acl bypass_scan_types_rep rep_mime_type -i ^application/x-shockwave-flash
acl bypass_scan_types_rep rep_mime_type -i ^image/
acl bypass_scan_types_rep rep_mime_type -i ^video
acl bypass_scan_types_rep rep_mime_type -i ^audio
acl bypass_scan_types_rep rep_mime_type -i ^.*application\/x-mms-framed.*$

loadable_modules /usr/local/lib/ecap_clamav_adapter.so
ecap_service clamav_service_req reqmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=REQMOD bypass=off
ecap_service clamav_service_resp respmod_precache uri=ecap://e-cap.org/ecap/services/clamav?mode=RESPMOD bypass=on
adaptation_access clamav_service_req allow !bypass_scan_types_req all
adaptation_access clamav_service_resp allow !bypass_scan_types_rep all
#deny_info http://192.168.100.251:8080/cgi-bin/virus_warn.cgi?clientaddr=%a&url=%u&virus=%adapt::last_h clamav_service_resp

Which ACL I can drop out? Request or response?

Alex Rousskov (rousskov) said : #3

This is not really about eCAP anymore, but you should remove the service you do not need (if any). For example, if you do not want to filter requests, remove the directives related to your clamav_service_req. In most cases, folks filter requests when they want to block information leaks, not viruses, On the other hand, reverse proxies may filter requests and not responses. It all depends on the deployment environment.

BTW, you do not need to add the "all" ACL after some other ACL in the same rule. Adding always-matching "all" only wastes a few CPU cycles.

Can you help with this problem?

Provide an answer of your own, or ask Yuri for more information if necessary.

To post a message you must log in.