and have configured things so that virus scanning with Sophos' SAVDI
works and can get to a custom error page however I can't seem to find
anyway of getting the name of the detected virus passed across to the
custom error page and displayed.
The appropriate part of my squid.conf is
acl http_status_403 http_status 403
acl virus_found rep_header X-Blocked -i \Virus found during virus scan\.
adaptation_access sophosicap allow all
icap_service sophosicap respmod_precache icap://127.0.0.1:4020/sophos
http_reply_access deny http_status_403 virus_found
deny_info ERR_MDX_VIRUS_FOUND virus_found
The acl is typically the last acl on the http_access deny line which
denied access. The exceptions to this rule are:
- When Squid needs to request authentication credentials. It's then
the first authentication related acl encountered
- When none of the http_access lines matches. It's then the last
acl processed on the last http_access line.
- When the decision to deny access was made by an adaptation service,
the acl name is the corresponding eCAP or ICAP service_name.
Please note that Middlesex University's preferred way of receiving all correspondence is via email in line with our Environmental Policy. All incoming post to Middlesex University is opened and scanned by our digital document handler, CDS, and then emailed to the recipient.
If you do not want your correspondence to Middlesex University processed in this way please email the recipient directly. Parcels, couriered items and recorded delivery items will not be opened or scanned by CDS. There are items which are "exceptions" which will be opened by CDS but will not be scanned a full list of these can be obtained by contacting the University.
I try to use the configuration given in the previous post with: Squid 4.9 and
Sophos SAVDI 2.6.
If I download a virus file, the Squid sends the file for scanning and is
detected by Sophos SAVDI (I find it in logs) but it is not blocked by Squid
(I can download it).
The problem I think is in the response received by the Squid after the scan
but I do not know where.
Has anyone managed to make this solution functional?
On 9/01/20 10:22 pm, netadmin wrote:
> I try to use the configuration given in the previous post
FYI: this post started a brand new thread, there is no previous post
visible to us. Please provide a direct reference to the post and/or
config file in question.
> with: Squid 4.9 and
> Sophos SAVDI 2.6.
> If I download a virus file, the Squid sends the file for scanning and is
> detected by Sophos SAVDI (I find it in logs) but it is not blocked by Squid
> (I can download it).
> The problem I think is in the response received by the Squid after the scan
> but I do not know where.
> Has anyone managed to make this solution functional?
I assume the config uses the AV software as an ICAP service?
That has been made working by many AFAIK, with several different AV
It is most likely that the ICAP service is either telling Squid it can
start delivering the response early before it finds the virus payload.
Or, producing the wrong response and thus causing Squid to deliver the
To help we are likely to need your squid.conf details, the access.log
entries that show the transaction(s) you know are wrong, and the
... and in both these the HTTP response given to SAVDI was 184 bytes long.
SAVDI is truncating infected payloads and telling Squid to deliver a
0-length response instead of the infection. So the setup is working fine
- though not with the log entries you were expecting to see.
> I also tried with the settings from David Webb's post ie:
> acl http_status_403 http_status 403
> acl virus_found rep_header X-Blocked -i \Virus found during virus scan\.
> I tried both options:
> http_reply_access deny http_status_403 virus_found
> adapted_http_access deny http_status_403 virus_found
> but something is wrong, I can download the test file (eicar).
There are two problems here.
* The string SAVDI adds has no '.' at the end. The regex you have says
(with "\.") that is mandatory.
- remove that bit of the regex
* SAVDI is producing status 200. So the 403 status check will not work
- remove the http_status_403.
The access.log you showed earlier say that SAVDI is adding both of these
headers which you could use:
X-Blocked: Virus found during virus scan
X-Blocked-By: Sophos Anti-Virus
Thank you for your time, patience and lessons learned.
Now it is all functional and I can no longer download the test file neither
by clicking nor with Save link as.
I will come back with a post that includes the necessary settings for both
Sophos SAVDI version 2.6 (I highly recommend it for scanning Squid traffic
and antivirus for e-mail) but also for Squid version 4.9 (I have been using
it for 10 years and it is an extraordinary tool for network traffic