Squid + ClamAV

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid + ClamAV

Andrea Venturoli
Hello.

Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV?
Normally I'd look for a specific mailing list, but it seems SquidClamAV
has none.
If this isn't the right place, can someone give a pointer on where to go?



I setup the whole thing and it's working.
However I often get terrible performance (with ClamAV eating a lot of
CPU), but find it hard to understand what is being scanned that takes so
long, ad I find the logs of little help.
Also, this does not seem to be always reproducible, since many sites
will sometimes be very fast and sometimes very slow.

I looked for suggestions on how to tweak ClamAV and/or SquidClamaAV
(e.g. with whitelists), but came up empty.

Any hint?

  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Squid + ClamAV

Ralf Hildebrandt
* Andrea Venturoli <[hidden email]>:
> Hello.
>
> Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV?

What do you need SquidClamAV for?
I'm running Squid + C-ICAP + ClamAV only.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Squid + ClamAV

Andrea Venturoli
On 2020-03-06 16:24, Ralf Hildebrandt wrote:
> * Andrea Venturoli <[hidden email]>:
>> Hello.
>>
>> Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV?
>
> What do you need SquidClamAV for?

Interesting question.

I find information on the web scarce, but here (*) it states "In
practice, configuration with clamd and squidclamav is fastest".

(*) https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP

Is that wrong? Outdated?
Also, squidclamav allows for whitelists, which I don't see mentioned in
the other setups.



Do you believe any of the different configuration outlined in that
document is better?

What do you suggest?
I-CAP + clamd?
I-CAP + libclamav?

Keep in mind I will run clamd anyway for other services.

Or should I ignore that document completely and use something else?

Also, I heard about e-cap, but IIUIC it's still immature. Is that correct?



In any case, are you getting satisfactory performance? Did you need any
tweak to ClamAV config?



  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Squid + ClamAV

Ralf Hildebrandt
* Andrea Venturoli <[hidden email]>:

> On 2020-03-06 16:24, Ralf Hildebrandt wrote:
> > * Andrea Venturoli <[hidden email]>:
> > > Hello.
> > >
> > > Is this the right place to discuss Squid + C-ICAP + SquidClamAV + ClamAV?
> >
> > What do you need SquidClamAV for?
>
> Interesting question.
>
> I find information on the web scarce, but here (*) it states "In practice,
> configuration with clamd and squidclamav is fastest".
>
> (*) https://wiki.squid-cache.org/ConfigExamples/ContentAdaptation/C-ICAP
>
> Is that wrong? Outdated?

Actually, I don't know :)

In my setung I'm using squid & c-icap with CLAMD. I'm scanning a few
types only:

virus_scan.ScanFileTypes EXECUTABLE ARCHIVE FWS CWS DOCUMENT DATA TEXT
--
Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Squid + ClamAV

Andrea Venturoli
On 2020-03-09 16:01, Ralf Hildebrandt wrote:

> Actually, I don't know :)

Thanks anyway.



> In my setung I'm using squid & c-icap with CLAMD. I'm scanning a few
> types only:
>
> virus_scan.ScanFileTypes EXECUTABLE ARCHIVE FWS CWS DOCUMENT DATA TEXT

That was an idea I had to, i.e. limiting scanned types.
With FWS and CWS you mean Flash???

I see you don't scan JavaScript: I thought it would be the first thing
to look into...
Any reasoning behind this?



  bye & Thanks
        av.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: [ext] Squid + ClamAV

Ralf Hildebrandt
* Andrea Venturoli <[hidden email]>:

> > virus_scan.ScanFileTypes EXECUTABLE ARCHIVE FWS CWS DOCUMENT DATA TEXT
>
> That was an idea I had to, i.e. limiting scanned types.
> With FWS and CWS you mean Flash???

0:FWS:SWF:Shockwave Flash data:GRAPHICS
0:CWS:SWF:Shockwave Flash data:GRAPHICS
 
> I see you don't scan JavaScript: I thought it would be the first thing to
> look into...

All the filetypes are recognized using the "c-icap.magic" file. That
file doesn't have a js/javascript category at all.

CURRENT GROUPS in that fixe are: TEXT DATA EXECUTABLE ARCHIVE GRAPHICS STREAM DOCUMENT
(as you see in my example above, Shockwave Flash is grouped under GRAPHICS)

They probably fall into the TEXT category.

Ralf Hildebrandt
Charité - Universitätsmedizin Berlin
Geschäftsbereich IT | Abteilung Netzwerk

Campus Benjamin Franklin (CBF)
Haus I | 1. OG | Raum 105
Hindenburgdamm 30 | D-12203 Berlin

Tel. +49 30 450 570 155
[hidden email]
https://www.charite.de
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users