squid, c-icap, clamav - not detecting eicar on proxy requests

[efun]

Hi,

I have been trying to resolve why the setup isn't working (all latest on versions). 

I am receiving two pid segs but I think this a know issue and not part of this problem?

      squid 2025/02/24 22:40:12| Set Current Directory to /var/squid/cache
      Segmentation fault


When I request a known eicar via web or below command, it passes through. 


I pulled it down eicar locally and checked with -f vs -req.

   c-icap_client detects signature but when I use a the http request, it passes as nothing found.

Thoughts, what am I missing?

see below: 

 
c-icap-client -s avscan -f eicar.com.txt -v

ICAP server:localhost, ip:::1, port:1344

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>MALWARE FOUND</title>
.....

ICAP HEADERS:
   ICAP/1.0 200 OK
   Server: C-ICAP/0.6.3
   Connection: keep-alive
   ISTag: "CI0001-r79KkQ7h+M5vZJKo2DBG+AAA"
   X-Infection-Found: Type=0; Resolution=2; Threat=winnow.malware.test.eicar.com.UNOFFICIAL;
   X-Violations-Found: 1
   -
   winnow.malware.test.eicar.com.UNOFFICIAL
   0
   0
   Encapsulated: res-hdr=0, res-body=174

RESPMOD HEADERS:
   HTTP/1.0 403 Forbidden
   Server: C-ICAP
   Connection: close
   Content-Type: text/html
   Content-Language: en
   Via: ICAP/1.0 (C-ICAP/0.6.3 Antivirus service )

works.


c-icap-client -s avscan -req "http://pkg.opnsense.org/test/eicar.com.txt" -v
ICAP server:localhost, ip:::1, port:1344

No modification needed (Allow 204 response)

ICAP HEADERS:
   ICAP/1.0 204 No Content
   Server: C-ICAP/0.6.3
   Connection: keep-alive
   ISTag: "CI0001-r79KkQ7h+M5vZJKo2DBG+AAA"

REQMOD HEADERS:
   GET http://pkg.opnsense.org/test/eicar.com.txt HTTP/1.0
   Date: Tue, 25 Feb 2025 05:54:29 GMT
   User-Agent: C-ICAP-Client/x.xx



does not detect.

Thank you for your help!