The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems.

Overview of c-icap and ClamAV Integration

• c-icap

It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers.

• ClamAV

ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass.

You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo

Procedure

Install Packages on RHEL 9

1) Install EPEL Repository in RHEL 9

subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms

2) run dnf

dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

3) Install Clamav packages

dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd

4) Install C-ICAP packages

dnf -y install c-icap c-icap-libs c-icap-modules

Clamav Server

Update Virus definition

Check install with update virus definition

freshclam

Enable as service

systemctl enable clamav-freshclam.service

systemctl start clamav-freshclam.service

Check status

systemctl status clamav-freshclam.service

Configure clamav

1) Backup default ICAP server configuration file:

cd /etc/clamd.d

mv scan.conf scan.conf_original

2) Create a scan.conf and add the following content:

LogFile /var/log/clamd.scan.log
LogFileMaxSize 10M
LogTime yes
LogClean yes
LogVerbose yes
LogRotate yes
TCPSocket 3310
PidFile /run/clamd.scan/clamd.pid
LocalSocket /run/clamd.scan/clamd.sock
User clamscan

Save and exit the file

Start the Clamav Server

systemctl enable [email protected]'

systemctl start [email protected]

Configure ICAP Server

1) Backup default ICAP server configuration file:

cd /etc/c-icap

mv c-icap.conf c-icap.conf_original
mv virus_scan.conf virus_scan.conf_original
mv clamd_mod.conf clamd_mod.conf_original

c-icap.conf

Create a c-icap.conf and add the following content:

Include virus_scan.conf
Include srv_content_filtering.conf
PidFile /run/c-icap/c-icap.pid
CommandsSocket /run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
ServerAdmin [email protected]
ServerName YourServerName
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 1
Pipelining on
SupportBuggyClients off
ModulesDir /usr/lib64/c_icap
ServicesDir /usr/lib64/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
acl all src 0.0.0.0/0.0.0.0
acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS
icap_access allow all PERMIT_REQUESTS
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so

Save and exit the file

virus_scan.conf

Create a virus_scan.conf and add the following content:

Service antivirus_module virus_scan.so
ServiceAlias srv_clamav virus_scan
ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
virus_scan.SendPercentData 5
virus_scan.StartSendPercentDataAfter 2M
virus_scan.MaxObjectSize  5M
virus_scan.DefaultEngine clamd
Include clamd_mod.conf

clamd_mod.conf

Create a clamd_mod.conf and add the following content:

Module common clamd_mod.so
clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock

Save and exit the file

srv_content_filtering.conf

Create a new file srv_content_filtering.conf and add the following content:

Service srv_cfg_filter srv_content_filtering.so
srv_content_filtering.RequireContentLength off
srv_content_filtering.MaxBodyData 5M
srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200
srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/
srv_content_filtering.Action block score{demoScore>5}
srv_content_filtering.Action block score{badHeader}

Save and exit the file

Start the ICAP Server

systemctl enable c-icap.service

systemctl start c-icap.service

Verify Configuration

1) Testing your instalation

To test your c-icap server you can use the c-icap-client utility which included in c-icap package.

c-icap-client

Sample result:

c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
	Allow 204: Yes
	Allow 206: No
	Preview: 1024
	Keep alive: Yes

ICAP HEADERS:
	ICAP/1.0 200 OK
	Methods: RESPMOD, REQMOD
	Service: C-ICAP/0.6.2 server - Echo demo service
	ISTag: "CI0001-XXXXXXXXX"
	Transfer-Preview: *
	Options-TTL: 3600
	Date: Mon, 30 Sep 2024 19:49:43 GMT
	Preview: 1024
	Allow: 204
	X-Include: X-Authenticated-User, X-Authenticated-Groups
	Encapsulated: null-body=0

2) Ensure there are no errors in the log file

tail -f /var/log/c-icap/server.log

tail -f /var/log/c-icap/access.log

Know Problems

C-ICAP: Cannot connect to clamd server

In /var/log/c-icap/server.log, I had the following error:

Tue Oct  1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock!
Tue Oct  1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server
Tue Oct  1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!

To fix, change permissions of clamd.scan directory:

chmod g+rx,o+rx /run/clamd.scan

Ver também

• ASSP:Automatizando o Rebuild.pl
• Configurando o Postfix com SmartHost do ASSP
• Linux: Configurando DHCP e BIND com DNS Dinamico
• Linux e Unix: Ferramentas de Monitoracao e Performance

• Mais Artigos sobre Linux / UNIX / AIX
• Mais Artigos sobre Tecnologias