Link to home
Start Free TrialLog in
Avatar of thready
thready

asked on

ICAP and anti-virus

Hi Experts,

I'd researching ICAP and its ability to scan files individually.  I'd need my ICAP server to be on the same machine as my server application so that it can locally scan files for viruses.  Can anyone point me to a good implemnetation of ICAP that they would recommend that could help me here?

Many thanks,
Mike
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thready
thready

ASKER

Thanks btan.  I will likely use FILEMOD and not RESPMOD to just pass the full path.  The only server I found that supports this so far is Symantec Scan Engine.  Do you know of any others?
I doubt there is any other supporting FILEMOD (besides Symantec) even as stated in the ICAP forum product list though it is not updated with other AV including Symantec. http://www.icap-forum.org/icap?do=products&isServer=checked
I am thinking a lot if there is means for translation from FILEMOD to RESPMOD mode instead but also to no avail and not worth the effort since FILEMOD itself is already not widely supported by existing ICAP server.
Even common (and well recognised online) VirusTotal came up with API for HTTP request/post instead of direct file based (file:\\) APIs (based on hash or file upload etc) https://www.virustotal.com/en/documentation/public-api/
https://www.virustotal.com/en/documentation/public-api/#scanning-files
Avatar of thready

ASKER

Yep, FILEMOD doesn't look very popular at all.

I don't even understand how one could use RESPMOD to scan individual files.  Do you?  :-)
C-ICAP has document on that with its client (most it Squid) and C-ICAP server handling those request.
icap_enable on

icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/request
adaptation_access service_req allow all

icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/response
adaptation_access service_resp allow all
Do catch those link which also share the use case and step though the details will need further understanding.

More details in the ietf run through - see the encapsulated http hdr req https://tools.ietf.org/html/rfc3507#section-4.3.3. Via 1344 (TCP), URI-icap:
ICAP is, in essence, a lightweight protocol for executing a "remote procedure call" on HTTP messages. It allows ICAP clients to pass HTTP messages to ICAP servers for some sort of transformation or other processing ("adaptation"). The server executes its transformation service on messages and sends back responses to the client, usually with modified messages. Typically, the adapted messages are either HTTP requests or HTTP responses.

ICAP is a request/response protocol similar in semantics and usage to HTTP/1.1. Despite the similarity, ICAP is not HTTP, nor is it an application protocol that runs over HTTP. This means, for example, that ICAP messages can not be forwarded by HTTP surrogates.
http://www.networksorcery.com/enp/protocol/icap.htm
Avatar of thready

ASKER

Thanks for your help with this!  :)