ietf-openproxy
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

ICAP extensions for parsing av responses? (fwd)

2003-04-02 09:59:02
from [Alex Rousskov] [Permanent Link] 


-- The message below documents "feedback" or "additional info"
   functionality that OCP MAY want to support and that ICAP does
   not support directly. I am forwarding this to the group so that we
   keep similar functional requirements in mind. I do not know yet
   whether it is actually a good idea to support them. An alternative
   is to task the callout server with inserting additional info (if
   any) into the application message itself, essentially preventing
   further automated processing and analysis.  Alex.


        ---------- Forwarded message ----------
        Date: Wed, 02 Apr 2003 13:01:09 +0200
        From: Rainer Link <link(_at_)foo(_dot_)fh-furtwangen(_dot_)de>
        To: ICAP-Discussions(_at_)yahoogroups(_dot_)com
        Subject: ICAP extensions for parsing av responses? (was: Re:
            [ICAP-Discussions] NetCache and subscriber ID or client IP ..
            Question)

As we're on topic wrt ICAP extensions. For my samba-vscan project
(http://www.openantivirus.org/projects.php), which allows on-access
scanning of Samba shares, I wrote a very basic icap-client module. It
currently works only with Symantec AntiVirus Engine (why? please see
below).

The response from SAVE looks like

$  ./icap-client ~/eicar.com -ssr
[..]
ICAP/1.0 403 Forbidden. Infected And Not Repaired
ISTag: "1049280360"
Date: Wed Apr  2 10:46:18 2003 GMT
Service: Symantec AntiVirus Scan Engine/4.0.3.41
Service-ID: SYMCScan/4.0.3.41
X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test String;
X-Violations-Found: 1
         eicar.com
         EICAR Test String
         11101
         0

To get the virus name, the icap-client module parses the
X-Infection-Found line (it should better parse X-Violations-Found). But
I assume, other producs like Finjan, Trend Micro or WebWasher (with the
McAfee Engine) use another format to report the virus name(s) back. (*)

So, in short, ICAP is a generic protocol to talk to various ICAP
AntiVirus servers, but imho there's no generic way to retrieve the virus
name(s). Either my client must ship with some kind of a configuration
file, which can be used to set up the patters to mach for the virus
name. Or the OPTIONS response must contain some information, how to
parse the RESPMOD/RESQMOD response to get it. Or it has to specified in
the ICAP specs. Probably I missed a method?

<snip>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • ICAP extensions for parsing av responses? (fwd), Alex Rousskov <=
Previous by Date:  Comments on ocp-00, Reinaldo Penno
Next by Date:  RE: Need to look at tracing and debuggig, Alex Rousskov
Previous by Thread:  Comments on ocp-00, Reinaldo Penno
Next by Thread:  More comments on ocp-00, Martin Stecher
Indexes:  [Date] [Thread] [Top] [All Lists]