Securepoint eCAP antivirus adapter

About

Securepoint eCAP antivirus adapter is an loadable eCAP adapter for the popular Squid HTTP-Proxy which allows you to scan all traffic going through for known viruses. Currently the only supported virus scan engines are clamav and commtouch csamd. The very latest version can be downloaded @ Github.

Development of this adapter started in March 2011 because nothing comparable could be found at this time. In the meantime (2011-03-17) at least one similar project exists, which you can find here.

Features

• content type detection via libmagic

• configurable skiplist dependent of the detected content type

• data trickling

eCAP support was introduced with SQUID version 3.1.. You cannot use the Securepoint eCAP antivirus adapter with earlier versions of SQUID.

Installation

Download and install libecap

Download and unpack:

wget http://www.measurement-factory.com/tmp/ecap/libecap-1.0.0.tar.gz
tar xf libecap-1.0.0.tar.gz

Build and install:

cd libecap-1.0.0/
./configure
make
make install

Download and install Securepoint eCAP antivirus adapter

In addition to libecap, libmagic is required to build the Securepoint eCAP antivirus adapter. Any modern Linux distribution should have libmagic installed already because its part of the file package. Anyhow, you have to install the development headers too. On Fedora this is done by typing:

yum install file-devel

Download and unpack:

Project homepage is https://github.com/Securepoint/squid-ecap-av/. If you like living on the bleeding edge, you can pull the working branch directly from git@github.com:Securepoint/squid-ecap-av.git[git@github.com:Securepoint/squid-ecap-av.git].

wget https://github.com/Securepoint/squid-ecap-av/archive/squid-ecap-av-v1.0.9.tar.gz
tar xf squid-ecap-av-v1.0.9.tar.gz

Build and install:

mkdir squid-ecap-av-1.0.9/build
cd squid-ecap-av-1.0.9/build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
make install

Usage

Add the following lines to your /etc/squid/squid.conf:

acl HTTP_STATUS_OK http_status 200
loadable_modules /usr/libexec/squid/ecap_adapter_av.so

ecap_enable on
ecap_service AVRESP respmod_precache bypass=0 ecap://www.securepoint.de/ecap_av
adaptation_access AVRESP allow HTTP_STATUS_OK

To skip scanning of html pages and all image types add the following lines to /etc/squid/ecap_adapter_av.skip:

text/html
image/.*

To skip scanning of bodies larger than 1MB add the following directive to /etc/squid/ecap_adapter_av.conf:

maxscansize = 1048576

Configuration

Currently the following options are supported:

• avdsocket: path to the unix socket the AV-daemon is listening on (/tmp/clamd.sock)

• trickletime (sec): send some bytes each trickletime seconds (30)

• maxscansize (bytes): skip scanning of bodies larger than maxscansize, set to 0 to always scan the whole body (0)

• magicdb: path to the magic database file (/usr/share/misc/magic.mgc)

• skiplist: path to the file containing the list of mimetypes not to scan (/etc/squid/ecap_adapter_av.skip)

• blocklist: path to the file containing the list of mimetypes to block (/etc/squid/ecap_adapter_av.block)

• tempdir: directory to store temporary files in

• readtimeout: timeout for AV socket read operations

• writetimeout: timeout for AV socket write operations

Testing

Point your browser to go through the proxy and try to download the eicar Anti-Malware test file from here.

Bug reporting

Report bugs through the Github squid-ecap-av project page.

A note for Firefox Users

How to solve "Content Encoding Error" on firefox?

This issue is fixed since v1.0.6pre5. Nervertheless for the record:

From http://answers.yahoo.com/question/index?qid=20100804010634AAxaUGD

• In the address bar type about:config

• Tell it that you will be careful, Promise!!

• In the filter type encoding

• There should be one option reading network.http.accept-encoding

• Click in the value column and type true

We are working on this issue, but currently we have no idea what happens. :-(

vim:set ft=asciidoc: