c-icap + clamAV scan storage array

[roya]

Hello  :)

I'm here for a particular purpose and I know OPNsense is not make for this particular project but if someone has good knowledge on this subject or use it for similar project... So here my problem, I need to use c-icap and clamAV for scanning files on an Isilon storage array.

So first I used this How-To http://roadzy.blogspot.com/2015/12/setting-up-c-icap-server-using-the-c.html on CentOS whithout good result... So in my research I saw that OPNsense integrating plug-in  c-icap and clamAV and I'm here ! First of all OPNsense is a discovery for me and it's really well done !

So I've installed c-icap and clamAV plug-ing and there are working perfectly together, some tests :

I've download an EICAR virus on the Isilon storage array and with a c-icap command I've this result below who found the EICAR virus EICAR-STANDARD-ANTIVIRUS-TEST

Code Select Expand


root@OPNsense:/NFS # c-icap-client -f eicar_com.zip -i 192.168.222.153
ICAP server:192.168.222.153, ip:192.168.222.153, port:1344

PK
▒(<▒QhDD        eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK


And the log access file show this (/var/log/c-icap/access.log)

Code Select Expand


04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 OPTIONS echo 200
04/Jan/2019:15:06:33 +0100, 192.168.222.153 192.168.222.153 RESPMOD echo 200


and if I run

Code Select Expand

c-icap-client -i 192.168.222.153

the OPNsense server return this

Code Select Expand

ICAP server:192.168.222.153, ip:192.168.222.153, port:1344

OPTIONS:
        Allow 204: Yes
        Preview: 1024
        Keep alive: Yes

ICAP HEADERS:
        ICAP/1.0 200 OK
        Methods: RESPMOD, REQMOD
        Service: C-ICAP/0.5.5 server - Echo demo service
        ISTag: CI0001-XXXXXXXXX
        Transfer-Preview: *
        Options-TTL: 3600
        Date: Fri, 04 Jan 2019 14:12:27 GMT
        Preview: 1024
        Allow: 204
        X-Include: X-Authenticated-User, X-Authenticated-Groups
        Encapsulated: null-body=0


i think it's pretty good

So I configure my Isilon array like this for sending ICAP request, with this address :

Code Select Expand

icap://OPNsense.demo.lan:1344/avscan



The Isilon cluster send requests to OPNsense each minute, I can see it in the access.log :
(192.168.222.220 and 192.168.222.221 = Isilon array)

Code Select Expand

04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:12:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.220 OPTIONS avscan?allow204=on&mode=simple 200
04/Jan/2019:15:13:54 +0100, 192.168.222.153 192.168.222.221 OPTIONS avscan?allow204=on&mode=simple 200


When I download an EICAR virus on the storage array nothing is happening in log file or whatever... I don't know where to look from here, did you have some ideas ?

Thank's a lot for reading this long post and for your help ! :)

Sorry for my bad english, it's not my native language :-\

[fabian]

I would prefer to check what it is doing on an upload. Downloads are usually never checked because it is expected that people download a file more frequently than they upload it.

[mimugmail]

I would start with a tcpdump in Port 1344 to see whats going on

[fabian]

@mimugmail: maybe also a problem with http://c-icap.sourceforge.net/c-icap.conf-0.1.x.html#tag_client_access or icap_access. depending on what the server responds.

[roya]

Hello :)

Thank's a lot @fabian and @mimugmail for you time and your answer !

I checked the file on upload and analyze the network trafic with tcpdump but nothing interesting.

After this I go back to my isilon array for check the config and the antivirus menu show me that the link between my c-icap server and my isilon is now inactive  >:(

Some research show me that c-icap + clamav it's not supported by isilon OneFS...
http://doc.isilon.com/onefs/7.0.0/help/en-us/GUID-5BED95C1-FFBA-425F-A6ED-4EE4B425B0CD.html

I think's it was a bug when the menu showed me a active link

BUT I don't give up now, in the log file of server.log I see some IStag problem

Code Select Expand

Fri Feb  1 09:52:23 2019, 80937/3085000704, recomputing istag ...

I will look from this side, I will post here if found something :)

Thank's again for your help ! and if you have some idea with istag I take it ;)