On 30/06/2012 7:20 p.m., Felix Leimbach wrote:
> Hello list
>
> I'm running squid 3.1.19 with squidclamav 6.6 and while debugging a
> different issue, I looked at tcpdumps of the ICAP traffic for
> squidclamav.
> I noticed that not only the webpages are sent to squidclamav for
> scanning, the *requests* are sent and scanned as well.
>
> This looks like unnecessary processing overhead to me and I've
> disabled this by removing these lines (from squidclamav's install [1]
> page):
>
> icap_service service_req reqmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_req allow all
>
> what's left is the response scanning:
>
> icap_service service_resp respmod_precache bypass=1
> icap://127.0.0.1:1344/squidclamav
> adaptation_access service_resp allow all
>
> Viruses in webpages are still being caught just fine.
>
> Should the install page be updated or is there a disadvantage to this approach?
>
> [1] http://squidclamav.darold.net/installv6.html
1) squidclamav is not part of the Squid project. So it is highly
unlikely that people here are in a position to edit that programs
documentation.
2) the HTTP world is not limited to downloads. Uploaded files, CONNECT
tunnels, media streams and other types of client sent things also need
AV scanning to protect servers against infected clients.
It is of course up to you which you enable/disable. But being AV
documentation I would expect they prefer to document the safest known
configurations as standard and let particular admin make the choice to
open holes.
Amos
Received on Sat Jun 30 2012 - 08:25:17 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 30 2012 - 12:00:04 MDT