How ICAPeg will inform our ICAP client of the AV scanning results of an infected file

[idavollen]

When the AV Scanning results of a posted file, e.g ZIP or PDF with ClamAV is that this file is not safe, that is, infected, how does the ICAP response from ICAPeg look like and how our ICAP client can interpret the ICAP response that this uploaded file is infected?

2023-02-22T15:36:16.203Z info general-functions/general-functions.go:49 extracting the body of HTTP message
2023-02-22T15:36:16.204Z info general-functions/general-functions.go:262 getting the file name
2023-02-22T15:36:16.204Z info general-functions/general-functions.go:442 getting the mime extension of the HTTP message body
2023-02-22T15:36:16.204Z debug general-functions/general-functions.go:462 HTTP message body mime extension is zip
2023-02-22T15:36:16.204Z info general-functions/general-functions.go:71 checking the extension (reject or bypass or process)
2023-02-22T15:36:16.204Z debug general-functions/general-functions.go:75 extension is process
2023-02-22T15:36:16.204Z debug clamav/clamav.go:84 sending the HTTP msg body to the ClamAV through antivirus socket
2023-02-22T15:36:21.205Z debug clamav/clamav.go:111 clamavFile is not safe
2023-02-22T15:36:21.207Z debug api/icap-request.go:189 adding the headers which the service wants to add them in the ICAP response
2023-02-22T15:36:21.207Z debug api/icap-request.go:198 checking if shadow service mode is enabled to add logs instead of returning another
2023-02-22T15:36:21.207Z debug api/icap-request.go:237 clamav returned ICAP response with status code 200

[idavollen]

for instance, https://docs.opswat.com/mdicap/v5.1.0/operating/icap-response-headers response headers are used by the MetaDefender ICAP Server

How about ICAPeg?

[idavollen]

https://docs.trendmicro.com/all/ent/ddan/v6.8/en-us/ddan_6.8_olh/ICAP-Header-Response.html

[mahnouman]

Hello @idavollen ,,, the "X-" headers are custom ICAP headers, you can pass any information into these, what we are currently implemented is X-ICAP-Metadata which is generating a random string to be able to trace the request across proxy, ICAP server and any API service.

You can trace this development and add any custom ICAP header you wish to hold any data, like virus name or similar, if you have specific requirements, would be great to hear about. Thanks.

[idavollen]

Hello @mahnouman Thanks for your feedbacks!

How do you think of making it possible to add a configurable custom ICAP response header, e.g. custom_icap_resp_header=X-Virus-Name for ClamAV in the config.toml file? When the clamav.go has got the result.Status == Found And the c.methodName != utils.ICAPModeResp, we could add the found Virus by ClamAV to the configurable custom ICAP response header from the config.toml, i.e.
adding this code line under https://github.com/egirna/icapeg/blob/master/service/services/clamav/clamav.go#L123

var customIcapRespHeader = readValues.ReadValuesBool("clamav.custom_icap_resp_header") || "X-Virus-Name"
serviceHeaders[customIcapRespHeader] = result.Description

c-icap-client -i 172.30.9.32 -p 1344 -s clamav -f eicar.pdf -v -req https://dev.io

ICAP server:172.30.9.32, ip:10.129.8.75, port:1344

This the testing results with c-icap-client:

{"reason":"File is not safe","service_name":"clamav","requested_url":"http://dev.no","identifier_id":"CLAMAV ID"}
ICAP HEADERS:
ICAP/1.0 200 OK
Date: Thu, 09 Mar 2023 08:50:14 GMT
Encapsulated: req-hdr=0, req-body=25
ISTag: epoch-1678351809
Service: clamav service
X-ICAPeg-Shadow-Service: false
X-Virus-Name: Pdf.Dropper.Agent-7001939-0

REQMOD HEADERS:
GET HTTP/1.0
Host:

[mahnouman]

Hello @idavollen Working on that,. will keep you updated.