ICAP and anti-virus

Hi Experts,

I'd researching ICAP and its ability to scan files individually.  I'd need my ICAP server to be on the same machine as my server application so that it can locally scan files for viruses.  Can anyone point me to a good implemnetation of ICAP that they would recommend that could help me here?

Many thanks,
Mike
LVL 1
threadyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
ICAP server (mostly web based) should have been separate system due to the dedicated performance for multiple request to perform the scanning (with multiple AV scanner) and getting back on the scan request timely. This has been the accepted implementation for segregation practice and smooth operational esp when dealing with huge file for scanning. The proxy in place acts as the  ICAP client e.g. Squid to 'talk' to the ICAP server (supporting with services  handling the Request Modification, REQMOD and making the necessary Response Modification, RESPMOD, all via HTPP normally).

In your case, having local is taken up and likely still viable with such implementation
e.g. Metascan ICAP with Squid as client (adjust the config for local host)
@ https://www.opswat.com/blog/scan-network-traffic-using-proxy-server-metascan-icap
e.g. C-ICAP client with Squid and C-ICAP server (with ClamAV), see that
> for same machine :  icap://localhost:1344/srv_clamav
> fro diff machine : icap://cicap_hostname:1344/srv_clamav
@ http://c-icap.sourceforge.net/install.html

Squid is more flexible and do catch the supported ICAP server tested
@ http://wiki.squid-cache.org/Features/ICAP

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
threadyAuthor Commented:
Thanks btan.  I will likely use FILEMOD and not RESPMOD to just pass the full path.  The only server I found that supports this so far is Symantec Scan Engine.  Do you know of any others?
btanExec ConsultantCommented:
I doubt there is any other supporting FILEMOD (besides Symantec) even as stated in the ICAP forum product list though it is not updated with other AV including Symantec. http://www.icap-forum.org/icap?do=products&isServer=checked
I am thinking a lot if there is means for translation from FILEMOD to RESPMOD mode instead but also to no avail and not worth the effort since FILEMOD itself is already not widely supported by existing ICAP server.
Even common (and well recognised online) VirusTotal came up with API for HTTP request/post instead of direct file based (file:\\) APIs (based on hash or file upload etc) https://www.virustotal.com/en/documentation/public-api/
https://www.virustotal.com/en/documentation/public-api/#scanning-files
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

threadyAuthor Commented:
Yep, FILEMOD doesn't look very popular at all.

I don't even understand how one could use RESPMOD to scan individual files.  Do you?  :-)
btanExec ConsultantCommented:
C-ICAP has document on that with its client (most it Squid) and C-ICAP server handling those request.
icap_enable on

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response
adaptation_access service_resp allow all
Do catch those link which also share the use case and step though the details will need further understanding.

More details in the ietf run through - see the encapsulated http hdr req https://tools.ietf.org/html/rfc3507#section-4.3.3. Via 1344 (TCP), URI-icap:
ICAP is, in essence, a lightweight protocol for executing a "remote procedure call" on HTTP messages. It allows ICAP clients to pass HTTP messages to ICAP servers for some sort of transformation or other processing ("adaptation"). The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. Typically, the adapted messages are either HTTP requests or HTTP responses.

ICAP is a request/response protocol similar in semantics and usage to HTTP/1.1. Despite the similarity, ICAP is not HTTP, nor is it an application protocol that runs over HTTP. This means, for example, that ICAP messages can not be forwarded by HTTP surrogates.
http://www.networksorcery.com/enp/protocol/icap.htm
threadyAuthor Commented:
Thanks for your help with this!  :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.