Installing and Configuring ICAP on ClamAV: Difference between revisions

From Wiki
No edit summary
No edit summary
 
(29 intermediate revisions by the same user not shown)
Line 1: Line 1:
The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems.
Overview of c-icap and ClamAV Integration
* '''c-icap'''
: It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers.
* '''ClamAV'''
: ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass.
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo
= Procedure =
= Procedure =


Line 9: Line 23:
2) run dnf
2) run dnf


  <nowiki>dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm -y</nowiki>
  <nowiki>dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm</nowiki>


3) Install Clamav packages
3) Install Clamav packages


  dnf -y install clamav clamav-data clamav-devel clamav-freshclamclamav-filesystem clamav-lib clamd
  dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd


4) Install C-ICAP packages
4) Install C-ICAP packages


  dnf install c-icap c-icap-libs c-icap-modules -y
  dnf -y install c-icap c-icap-libs c-icap-modules
 
== Clamav Server ==


== Step 2: Configure ClamAV ==
=== Update Virus definition ===


1) Update virus definition
Check install with update virus definition


  freshclam
  freshclam


Save and exit the file
Enable as service
 
systemctl enable clamav-freshclam.service
systemctl start clamav-freshclam.service
 
Check status


3) Start the ClamAV daemon:
systemctl status clamav-freshclam.service


sudo systemctl start clamav-freshclam
=== Configure clamav ===


1) Backup default ICAP server configuration file:


== Step 3: Configure ICAP Server ==
cd /etc/clamd.d
mv scan.conf scan.conf_original


1) Edit the ICAP server configuration file:
2) Create a scan.conf and add the following content:


  sudo nano /etc/clamav-icap.conf
<nowiki>
LogFile /var/log/clamd.scan.log
LogFileMaxSize 10M
LogTime yes
LogClean yes
LogVerbose yes
LogRotate yes
TCPSocket 3310
PidFile /run/clamd.scan/clamd.pid
LocalSocket /run/clamd.scan/clamd.sock
User clamscan
</nowiki>


2) Make the following adjustments:**
Save and exit the file


# Bind to all interfaces (adjust if needed)
=== Start the Clamav Server ===
  ListenAddress 0.0.0.0
 
  systemctl enable clamd@scan.service'
   
   
  # Set the port (default is 1344)
  systemctl start [email protected]
  ListenPort 1344
 
== Configure ICAP Server ==
 
1) Backup default ICAP server configuration file:
 
  cd /etc/c-icap
   
   
  # Set the service name (optional)
  mv c-icap.conf c-icap.conf_original
  ServiceName clamav-icap
mv virus_scan.conf virus_scan.conf_original
  mv clamd_mod.conf clamd_mod.conf_original


  # Set the request method (default is "REQMOD")
=== c-icap.conf ===
  RequestMethod REQMOD
 
Create a c-icap.conf and add the following content:
 
<nowiki>
Include virus_scan.conf
Include srv_content_filtering.conf
PidFile /run/c-icap/c-icap.pid
CommandsSocket /run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads    10
MaxSpareThreads    20
ThreadsPerChild    10
MaxRequestsPerChild  0
Port 1344
ServerAdmin [email protected]
ServerName YourServerName
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 1
Pipelining on
SupportBuggyClients off
ModulesDir /usr/lib64/c_icap
ServicesDir /usr/lib64/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
acl all src 0.0.0.0/0.0.0.0
acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS
icap_access allow all PERMIT_REQUESTS
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so
</nowiki>
 
Save and exit the file
 
=== virus_scan.conf ===
 
Create a virus_scan.conf and add the following content:
 
<nowiki>
Service antivirus_module virus_scan.so
ServiceAlias srv_clamav virus_scan
ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
virus_scan.SendPercentData 5
virus_scan.StartSendPercentDataAfter 2M
virus_scan.MaxObjectSize  5M
virus_scan.DefaultEngine clamd
Include clamd_mod.conf
</nowiki>
 
 
=== clamd_mod.conf ===
 
Create a clamd_mod.conf and add the following content:
 
  <nowiki>
Module common clamd_mod.so
clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock
</nowiki>
 
Save and exit the file
 
=== srv_content_filtering.conf ===
 
Create a new file srv_content_filtering.conf and add the following content:
 
<nowiki>
Service srv_cfg_filter srv_content_filtering.so
srv_content_filtering.RequireContentLength off
srv_content_filtering.MaxBodyData 5M
srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200
srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/
srv_content_filtering.Action block score{demoScore>5}
srv_content_filtering.Action block score{badHeader}
</nowiki>
 
Save and exit the file
 
=== Start the ICAP Server ===
 
  systemctl enable c-icap.service
   
   
  # Set the request type (default is "CHECK")
  systemctl start c-icap.service
RequestType CHECK
 
== Verify Configuration ==
# Set the ICAP version (default is "1.0")
 
ICAPVersion 1.0
1) Testing your instalation
 
# Set the log level (0-5, higher values are more verbose)
To test your c-icap server you can use the c-icap-client utility which included in c-icap package.
LogLevel 3
# Set the log file (adjust if needed)
LogFile /var/log/clamav-icap.log
# Enable verbose logging (optional)
VerboseLog yes


Save and exit the file
c-icap-client


== Step 4: Start the ICAP Server ==
Sample result:


sudo systemctl start clamav-icap
<small><nowiki>c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344


== Step 5: Verify Configuration ==
OPTIONS:
Allow 204: Yes
Allow 206: No
Preview: 1024
Keep alive: Yes


1) Check the ICAP server's status
ICAP HEADERS:
ICAP/1.0 200 OK
Methods: RESPMOD, REQMOD
Service: C-ICAP/0.6.2 server - Echo demo service
ISTag: "CI0001-XXXXXXXXX"
Transfer-Preview: *
Options-TTL: 3600
Date: Mon, 30 Sep 2024 19:49:43 GMT
Preview: 1024
Allow: 204
X-Include: X-Authenticated-User, X-Authenticated-Groups
Encapsulated: null-body=0
</nowiki></small>


sudo systemctl status clamav-icap


2) Ensure there are no errors in the log file
2) Ensure there are no errors in the log file


  tail -f /var/log/clamav-icap.log
  tail -f /var/log/c-icap/server.log
 
tail -f /var/log/c-icap/access.log
 
 
== Know Problems ==
 
=== C-ICAP: Cannot connect to clamd server ===
 
In /var/log/c-icap/server.log, I had the following error:
 
<small><nowiki>Tue Oct  1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock!
Tue Oct  1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server
Tue Oct  1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!</nowiki></small>
 
To fix, change permissions of clamd.scan directory:


chmod g+rx,o+rx /run/clamd.scan


== Ver também ==
== Ver também ==

Latest revision as of 19:48, 1 October 2024

The integration of c-icap with ClamAV is commonly used to provide antivirus scanning for web traffic, email, or other content passing through proxy servers (like Squid) or gateway services. This setup helps intercept and scan potentially harmful content before it reaches end users or systems.

Overview of c-icap and ClamAV Integration

  • c-icap
It's a high-performance, open-source server that implements the ICAP (Internet Content Adaptation Protocol). ICAP is commonly used by proxy servers (such as Squid) to offload tasks like content modification or virus scanning to specialized servers.
  • ClamAV
ClamAV is an open-source antivirus engine designed to detect malware and viruses. It's widely used for scanning files on mail gateways, web proxies, and other points where potentially harmful files might pass.


You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo

Procedure

Install Packages on RHEL 9

1) Install EPEL Repository in RHEL 9

subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms

2) run dnf

dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

3) Install Clamav packages

dnf -y install clamav clamav-data clamav-devel clamav-freshclam clamav-filesystem clamav-lib clamd

4) Install C-ICAP packages

dnf -y install c-icap c-icap-libs c-icap-modules

Clamav Server

Update Virus definition

Check install with update virus definition

freshclam

Enable as service

systemctl enable clamav-freshclam.service

systemctl start clamav-freshclam.service

Check status

systemctl status clamav-freshclam.service

Configure clamav

1) Backup default ICAP server configuration file:

cd /etc/clamd.d

mv scan.conf scan.conf_original

2) Create a scan.conf and add the following content:

LogFile /var/log/clamd.scan.log
LogFileMaxSize 10M
LogTime yes
LogClean yes
LogVerbose yes
LogRotate yes
TCPSocket 3310
PidFile /run/clamd.scan/clamd.pid
LocalSocket /run/clamd.scan/clamd.sock
User clamscan

Save and exit the file

Start the Clamav Server

systemctl enable [email protected]'

systemctl start [email protected]

Configure ICAP Server

1) Backup default ICAP server configuration file:

cd /etc/c-icap

mv c-icap.conf c-icap.conf_original
mv virus_scan.conf virus_scan.conf_original
mv clamd_mod.conf clamd_mod.conf_original

c-icap.conf

Create a c-icap.conf and add the following content:

Include virus_scan.conf
Include srv_content_filtering.conf
PidFile /run/c-icap/c-icap.pid
CommandsSocket /run/c-icap/c-icap.ctl
Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 600
StartServers 3
MaxServers 10
MinSpareThreads     10
MaxSpareThreads     20
ThreadsPerChild     10
MaxRequestsPerChild  0
Port 1344
ServerAdmin [email protected]
ServerName YourServerName
TmpDir /var/tmp
MaxMemObject 131072
DebugLevel 1
Pipelining on
SupportBuggyClients off
ModulesDir /usr/lib64/c_icap
ServicesDir /usr/lib64/c_icap
TemplateDir /usr/share/c_icap/templates/
TemplateDefaultLanguage en
LoadMagicFile /etc/c-icap/c-icap.magic
RemoteProxyUsers off
RemoteProxyUserHeader X-Authenticated-User
RemoteProxyUserHeaderEncoded on
acl all src 0.0.0.0/0.0.0.0
acl PERMIT_REQUESTS type REQMOD RESPMOD OPTIONS
icap_access allow all PERMIT_REQUESTS
ServerLog /var/log/c-icap/server.log
AccessLog /var/log/c-icap/access.log
Service echo srv_echo.so

Save and exit the file

virus_scan.conf

Create a virus_scan.conf and add the following content:

Service antivirus_module virus_scan.so
ServiceAlias srv_clamav virus_scan
ServiceAlias avscan virus_scan?allow204=on&sizelimit=off&mode=simple
virus_scan.ScanFileTypes TEXT DATA EXECUTABLE ARCHIVE GIF JPEG MSOFFICE
virus_scan.SendPercentData 5
virus_scan.StartSendPercentDataAfter 2M
virus_scan.MaxObjectSize  5M
virus_scan.DefaultEngine clamd
Include clamd_mod.conf


clamd_mod.conf

Create a clamd_mod.conf and add the following content:

Module common clamd_mod.so
clamd_mod.ClamdSocket /run/clamd.scan/clamd.sock

Save and exit the file

srv_content_filtering.conf

Create a new file srv_content_filtering.conf and add the following content:

Service srv_cfg_filter srv_content_filtering.so
srv_content_filtering.RequireContentLength off
srv_content_filtering.MaxBodyData 5M
srv_content_filtering.Match demoScore body /(icap_test|icap-block|test-icap)/i score=200
srv_content_filtering.Match badHeader Header{ICAP-TEST} /BLOCK/
srv_content_filtering.Action block score{demoScore>5}
srv_content_filtering.Action block score{badHeader}

Save and exit the file

Start the ICAP Server

systemctl enable c-icap.service

systemctl start c-icap.service

Verify Configuration

1) Testing your instalation

To test your c-icap server you can use the c-icap-client utility which included in c-icap package.

c-icap-client

Sample result:

c-icap-client
ICAP server:localhost, ip:127.0.0.1, port:1344

OPTIONS:
	Allow 204: Yes
	Allow 206: No
	Preview: 1024
	Keep alive: Yes

ICAP HEADERS:
	ICAP/1.0 200 OK
	Methods: RESPMOD, REQMOD
	Service: C-ICAP/0.6.2 server - Echo demo service
	ISTag: "CI0001-XXXXXXXXX"
	Transfer-Preview: *
	Options-TTL: 3600
	Date: Mon, 30 Sep 2024 19:49:43 GMT
	Preview: 1024
	Allow: 204
	X-Include: X-Authenticated-User, X-Authenticated-Groups
	Encapsulated: null-body=0


2) Ensure there are no errors in the log file

tail -f /var/log/c-icap/server.log
tail -f /var/log/c-icap/access.log


Know Problems

C-ICAP: Cannot connect to clamd server

In /var/log/c-icap/server.log, I had the following error:

Tue Oct  1 08:10:44 2024, main proc, clamd_connect: Can not connect to clamd server on /run/clamd.scan/clamd.sock!
Tue Oct  1 08:10:44 2024, main proc, clamd_init: Error while sending command to clamd server
Tue Oct  1 08:10:44 2024, main proc, Registry 'virus_scan::engines' does not exist!

To fix, change permissions of clamd.scan directory:

chmod g+rx,o+rx /run/clamd.scan

Ver também