IBM Sterling Secure Proxy: Anti-Virus scanning over Connect:Direct protocol with ICAP and Clamav
The integration of IBM Secure Proxy with c-icap and ClamAV enables a robust content security solution that scans files for viruses, malware, and other threats in real-time.
This setup combines the secure routing and traffic management capabilities of IBM Secure Proxy with the content adaptation and antivirus scanning features of c-icap and ClamAV.
First following this procedures:
Important:
In my demo i sent files from FINTECH to DEMOBANK, and check files for antivirus using ICAP protocol and Clamav.
You can checkout files from this GitHub https://github.com/ebasso/ibm-secure-proxy-icap-clamav-demo
Configure ICAP on SSP
1) Go to Advanced Menu, and after ICAP Configuration
2) Click em Add ICAP
3) Provide IP and port of ICAP service
4) Click on Security tab, and disable security
]
5) Click on Advanced tab,
Set values for:
- Maximum Allowed File/Request Size: 5120
- ICAP server Provider: Other
- ICAP Server Service Name: avscan
This is from values setup in virus_scan.conf file.
]
6) Live the other values as default
7) Click on Save
Configure CD Adapter on SSP
1) Create a Connect:Direct Adapter
provide values for fields: Name, Port, Netmap, Routing Type.
2) Click on Add Engine
3) Define ICAP values
- ICAP Perimeter Server: local
- ICAP Server: icap-inbound-clamav
4) Click on Advanced Tab
Confirm that you have enable: ICAP Scan PNODE to SNODE (Reverse Proxy - Default)
5) Save
6) Restart engine
How to test in Connect:Direct
1) Download a sample fake file
wget https://secure.eicar.org/eicar_com.zip
and copy to directory /home/fintech/eicar_com.zip
2) Create a Connect:Direct process file, like /home/fintech/send_eicar.cdp
send_eicar process snode=DEMOBANK step01 copy from ( file = /home/fintech/eicar_com.zip pnode ) to ( file = /home/demobank/eicar_com.zip snode disp = rpl ) pend;
3) In C:D Direct submit file
submit file=/home/fintech/send_eicar.cdp
4) Check result with command sel stat
Direct> sel stat pnum=30;
===============================================================================
SELECT STATISTICS
===============================================================================
P RECID LOG TIME PNAME PNUMBER STEPNAME CCOD FDBK MSGID
E RECID LOG TIME MESSAGE TEXT
X RECID LOG TIME APP DESC USID NODENAME CCOD MSGID
-------------------------------------------------------------------------------
E QCEX 10/01/2024 11:23:34 TCQ queue change from WAIT to EXEC, status PE.
E SUBP 10/01/2024 11:23:34 Submit command issued.
E SSTR 10/01/2024 11:23:34 Session started, SNODE:DEMOBANK, Protocol:tcp
LCLP 9.xx.xx.75, PORT=38472
RMTP 9.xx.xx.xx, PORT=1364
P PSTR 10/01/2024 11:23:34 send_eicar 30 0 XSMG200I
P LSST 10/01/2024 11:23:35 send_eicar 30 step01 0 XSMG201I
P CTRC 10/01/2024 11:23:35 send_eicar 30 step01 8 SSPS001I
P PRED 10/01/2024 11:23:35 send_eicar 30 8 SSPS001I
E SEND 10/01/2024 11:23:35 Session ended, Session Manager shutting down SNODE:
DEMOBANK
===============================================================================
If you check file in /home/demobank/eicar_com.zip
This will be an empty file (Zero bytes).
Check logs on Sterling Secure Proxy
You can the result in secureproxy.Dnn.Tnn.log log files on IBM Secure Proxy
tail -f secureproxy.D20241001.T064834.1.log 01 Oct 2024 11:32:19,681 ERROR [nodeWriterS-1] sys.ADAPTER.cd-adapter-01 - cd sessid=... CSP089E ICAP AV Scanning failed, malware detected file: /home/fintech/eicar_com.zip, ICAP response : Blocked:, Virus name: Unknown, Reputation: , Geo Location: 01 Oct 2024 11:33:44,766 ERROR [nodeWriterS-1] sys.ADAPTER.cd-adapter-01 - cd sessid=... CSP089E ICAP AV Scanning failed, malware detected file: /home/fintech/eicar_com.zip, ICAP response : Blocked:, Virus name: Unknown, Reputation: , Geo Location: