-- The message below documents "feedback" or "additional info"
functionality that OCP MAY want to support and that ICAP does
not support directly. I am forwarding this to the group so that we
keep similar functional requirements in mind. I do not know yet
whether it is actually a good idea to support them. An alternative
is to task the callout server with inserting additional info (if
any) into the application message itself, essentially preventing
further automated processing and analysis. Alex.
---------- Forwarded message ----------
Date: Wed, 02 Apr 2003 13:01:09 +0200
From: Rainer Link <link(_at_)foo(_dot_)fh-furtwangen(_dot_)de>
To: ICAP-Discussions(_at_)yahoogroups(_dot_)com
Subject: ICAP extensions for parsing av responses? (was: Re:
[ICAP-Discussions] NetCache and subscriber ID or client IP ..
Question)
As we're on topic wrt ICAP extensions. For my samba-vscan project
(http://www.openantivirus.org/projects.php), which allows on-access
scanning of Samba shares, I wrote a very basic icap-client module. It
currently works only with Symantec AntiVirus Engine (why? please see
below).
The response from SAVE looks like
$ ./icap-client ~/eicar.com -ssr
[..]
ICAP/1.0 403 Forbidden. Infected And Not Repaired
ISTag: "1049280360"
Date: Wed Apr 2 10:46:18 2003 GMT
Service: Symantec AntiVirus Scan Engine/4.0.3.41
Service-ID: SYMCScan/4.0.3.41
X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test String;
X-Violations-Found: 1
eicar.com
EICAR Test String
11101
0
To get the virus name, the icap-client module parses the
X-Infection-Found line (it should better parse X-Violations-Found). But
I assume, other producs like Finjan, Trend Micro or WebWasher (with the
McAfee Engine) use another format to report the virus name(s) back. (*)
So, in short, ICAP is a generic protocol to talk to various ICAP
AntiVirus servers, but imho there's no generic way to retrieve the virus
name(s). Either my client must ship with some kind of a configuration
file, which can be used to set up the patters to mach for the virus
name. Or the OPTIONS response must contain some information, how to
parse the RESPMOD/RESQMOD response to get it. Or it has to specified in
the ICAP specs. Probably I missed a method?
<snip>