1SQUIDCLAMAV(1) User Contributed Perl Documentation SQUIDCLAMAV(1)
2
6 SquidClamav - HTTP Antivirus for Squid based on ClamAv and the ICAP
7 protocol
8
10 SquidClamav is an antivirus for the Squid proxy based on the ICAP
11 protocol and the awards-winning ClamAv anti-virus toolkit. Using it
12 will help you securing your home or enterprise network web traffic.
13 SquidClamav is the most efficient antivirus tool for HTTP traffic
14 available for free, it is written in C as a c-icap service and can
15 handle several thousands of connections at once.
16 SquidClamav only scan the HTTP stream sent by Squid through the ICAP
18 server. It doesn't make HTTP requests itself so this is a gain of
19 performance and ensures that the data scanned is the same as the user
20 has requested.
21 Why use c-icap server? This is the only open source icap server written
23 in C, it is very fast and stable.
24 Why writing another clamav c-icap module? Well, to be honest, outside
26 the survival of SquidClamav, I think that using clamd instead of
27 libclamav to scan files is speediest and more simple than the
28 srv_clamav module provided with the c-icap server.
29 SquidClamav is faster than any other HTTP antivirus and can handle
31 several thousands of simultaneous users at once, this is what we need.
32 The other unique feature of SquidClamav is that you can have Clamd
34 failover by setting up up to 4 clamd server IP addresses. When a clamd
35 server is not reachable in one second, SquidClamav switches to the next
36 IP address.
37 If you are using ClamAV above 0.95, SquidClamav will have support for
39 Google Safe Browsing database. All signatures provided by Google Safe
40 Browsing Database will be prefixed with the Safebrowsing tag. If ClamAV
41 reports:
42 Safebrowsing.<something> FOUND
44 This will be redirected by squidclamav just like if a virus was found.
46
48 Generic Program Information
49 SquidClamav is compatible with all Squid v3.x versions that support the
50 ICAP feature allowing "on stream" scanning. squidclamav is built as a
51 c-icap server service and can be controlled through a configuration
52 file.
53 Installing Squid
55 Setting SquidClamav as Squid Icap service
56 I want SquidClamav to be installed as a c-icap service, to be
57 configured as easy as possible and to be compatible with the old
58 configuration file. This means that I voluntary omit some capabilities
59 of c-icap server to preserve a full compatibility with the old
60 squidclamav.conf file.
61 Squid v3.x installation and configuration
63 To have full and stable icap support with Squid you must use the 3.x
65 branch and configure squid with the following option:
66 --enable-icap-client
68 I don't know what other options you are using but you have to add this
70 one to your configure command. If you prefer to use distribution
71 packaging you may already have it configured like this if you can
72 install the c-icap package too.
73 If you don't know, run the following command an search for the
75 configuration directive: --enable-icap-client
76 /usr/local/squid/sbin/squid -v | grep "enable-icap-client"
78 If it is not enabled you must reinstall Squid with this configuration
80 option or install the additional packages.
81 Once you have it enabled, to integrate c-icap and SquidClamav to your
83 squid cache just edit squid.conf and set the following directives.
84 Squid 3.4.x configuration
86 There are some configuration differences between 3.1.x and 3.4.x
87 Squid version. Here are the directives I use for Squid 3.4.x:
88 icap_enable on
90 icap_send_client_ip on
91 icap_send_client_username on
92 icap_client_username_encode off
93 icap_client_username_header X-Authenticated-User
94 icap_preview_enable on
95 icap_preview_size 1024
96 icap_service service_avi_req reqmod_precache
97 icap://localhost:1344/squidclamav bypass=off
98 adaptation_access service_avi_req allow all
99 icap_service service_avi_resp respmod_precache
100 icap://localhost:1344/squidclamav bypass=on
101 adaptation_access service_avi_resp allow all
102 If you don't know where to put them in squid.conf, just search for
104 'icap_.*' and add those configuration lines at the end of the icap
105 section.
106 Squid 3.1.x configuration
108 There are some configuration differences between 3.1.x and 3.0.x
109 Squid version. Here are the directives I use for Squid 3.1.x:
110 icap_enable on
112 icap_send_client_ip on
113 icap_send_client_username on
114 icap_client_username_encode off
115 icap_client_username_header X-Authenticated-User
116 icap_preview_enable on
117 icap_preview_size 1024
118 icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
119 adaptation_access service_req allow all
120 icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
121 adaptation_access service_resp allow all
122 If you don't know where to put them in squid.conf, just search for
124 'icap_.*' and add those configuration lines at the end of the icap
125 section.
126 Here the bypass is set to 1, that means that in case of squidclamav
128 problems squid will simply ignore the error and continue.
129 Squid 3.0.x configuration
131 For squid 3.0.x you must replace 'bypass=1' by '1' or 'bypass=0' by
132 '0' and the access to the service is defined at a class level. Only
133 the last four configuration lines change from version 3.1.x.
134 icap_enable on
136 icap_send_client_ip on
137 icap_send_client_username on
138 icap_client_username_encode off
139 icap_client_username_header X-Authenticated-User
140 icap_preview_enable on
141 icap_preview_size 1024
142 icap_service service_req reqmod_precache 1 icap://127.0.0.1:1344/squidclamav
143 icap_service service_resp respmod_precache 1 icap://127.0.0.1:1344/squidclamav
144 icap_class class_avreq service_req
145 icap_class class_avresp service_resp
146 icap_access class_avreq allow all
147 icap_access class_avresp allow all
148 If you don't know where to put them in squid.conf, just search for
150 'icap_.*' and add those configuration lines at the end of the icap
151 section.
152 Here the bypass is set to 1, that means that in case of squidclamav
154 problems squid will simply ignore the error and continue.
155 What do that configuration directives do? They enable Squid's ICAP
157 client and tell Squid to send the logged username and client's IP
158 address to the ICAP server. They also enable preview for faster
159 SquidClamav work. The last four lines define how to call the ICAP
160 server. Here we call the squidclamav service on localhost and port 1344
161 (host and port can be changed). The bypass parameter set to 1 means
162 that Squid will continue without bothering about ICAP server or
163 SquidClamav failure. This is just like the old bridge mode in previous
164 releases of SquidClamAV. I don't want users to be bored by a
165 continuously error message if SquidClamav or c-icap produce errors or
166 if there's an error in the configuration file. Users don't have to know
167 about that, they want to surf and don't care about your problems :-) If
168 you don't think like me, just set the bypass argument to 0 and Squid
169 will return an error message in case of a failure.
170 Chained Url Checker
172 You can chained SquidClamav call to an Url checked like squidguard by
174 setting the 'url_rewrite_program' squid.conf directive:
175 url_rewrite_program /usr/bin/squidGuard
177 url_rewrite_children 15
178 url_rewrite_access allow all
179 Call of squidguard from SquidClamav is no longer supported.
181 C-icap server installation/configuration
183 If you don't have package solutions or encounter problems when
185 installing SquidClamav I recommend you to install the c-icap server
186 from source as following. You can download it from SourceForge at
187 http://c-icap.sourceforge.net/. Choose version c-icap-0.3.2 or later
188 versions, then run:
189 ./configure --prefix=/usr/local/c-icap --enable-large-files
191 make
192 make install
193 Then, edit the file /usr/local/c-icap/etc/c-icap.conf. It contains a
195 set of documented values that configure the c-icap server. To enable
196 the support of SquidClamav just add the following line to the end of
197 the file:
198 Service squidclamav squidclamav.so
200 Don't care about the srv_clamav.* configuration directives, this will
202 not break anything. SquidClamav doesn't use them but reads its own
203 directives from the file /etc/squidclamav.conf.
204 You can disable the c-icap embedded modules by commenting out these
206 lines:
207 #Service url_check_module srv_url_check.so
209 #Service antivirus_module srv_clamav.so
210 This will preserve some resources.
212 Following your installation you may need to create the /var/run/c-icap/
214 where c-icap server is writing pid and socket file.
215 You may also want to change the user/group owning c-icap's processes.
217 By default the owner is the user/group who runs the program. I
218 recommend you to change them to the same user/group running your Squid
219 cache. For example:
220 User proxy
222 Group proxy
223 Of course you will need to change the owner of directory
225 /var/run/c-icap/ and the directory of your server log. See the
226 ServerLog directive to get the path. For me, I use the following
227 commands to set the good rights on my installation:
228 mkdir /var/run/c-icap/
230 chown -R proxy:proxy /var/run/c-icap/
231 chown -R proxy:proxy /usr/local/c-icap/
232 After that you can run the c-icap server as explained below.
234 SquidClamav installation/configuration
236 Installing SquidClamav requires that you already have installed the
238 c-icap as explained above. You must provide the installation path of
239 c-icap to the configure command as following:
240 ./configure
242 make
243 make install
244 This will install the squidclamav.so library into the c-icap
246 modules/services repository.
247 Note that if the c-icap installation does not save the c-icap-config
249 program in a directory that can be found in your default path you will
250 need to give the path to this program to squidclamav at configure time:
251 ./configure --with-c-icap=/usr/local/c-icap/
253 make && make install
254 Running c-icap server
256 Finally, you can run the c-icap server as root user:
258 /usr/local/c-icap/bin/c-icap
260 or any other path to the binary. If you want to display debugging
262 information on the terminal, the previous command should be executed
263 with the following arguments:
264 /usr/local/c-icap/bin/c-icap -N -D -d 10
266 The first argument -N prevents the c-icap server from forking into the
268 background, the second argument -D enables the printing of messages to
269 standard output, and the third argument -d 10 enables the printing of
270 full debugging information.
271 Reloading configuration without restarting the c-icap server
273 To force SquidClamav to reread its configuration file after changes you
275 can send the following command to the c-icap server
276 echo -n "squidclamav:cfgreload" > /var/run/c-icap/c-icap.ctl
278 It will reread all its configuration directives and restart pipes to
280 squidGuard. So if you make changes to squidGuard you must execute this
281 command to activate them in SquidClamav.
282 Or to be sure that everything is really initialized or that you have
284 made change to the c-icap configuration file you can run the following
285 command:
286 echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl
288 The service will reread the config file without the need for stopping
290 and restarting the c-icap server. The service will just be
291 reinitialized.
292
294 By default, the configuration file must be /etc/squidclamav.conf, you
295 may not use another path unless you change it in the source code (see
296 src/squidclamav.h).
297 SquidClamav installation will create a default file with the maximum
299 security level. If you have low resources on your server there's some
300 predefined pattern optimized for speed. Feel free to modify it to match
301 your desired security level.
302 The format of the configuration file consists in always lower case
304 configuration directive names followed by a value. The name and the
305 value must be separated by a single space character. Comments are lines
306 starting with a '#' character.
307 Global configuration
309 Log file and debug
310 Logging and debug are handled by the c-icap server. You can control
312 them using the following c-icap.conf directives:
313 ServerLog /usr/local/c-icap/var/log/server.log
315 DebugLevel 0
316 Debug information is disable by default, do not enable it on production
318 systems as it costs a lot of performances. The debug level can be set
319 from 1 up to 3 for SquidClamav but can be up to 10 for c-icap. By
320 setting
321 DebugLevel 3
323 you will trace everything done by SquidClamav, this is useful for
325 debugging purpose.
326 Clamd daemon
328 SquidClamav needs to know where to contact clamd, the ClamAV daemon,
330 for on stream virus scanning.
331 clamd_local /tmp/clamd
333 #clamd_ip 192.168.1.5
334 #clamd_port 3310
335 By default SquidClamav will contact clamd locally on the /tmp/clamd
337 unix socket (clamd_local). If your clamd daemon uses INET socket or
338 stays in a remote server, you have to set the IP address and the port
339 with clamd_ip and clamd_port.
340 If you use INET socket the 'clamd_local' directive must be commented,
342 or SquidClamav will always use the clamd_local directive.
343 Clamd failover
345 If you have multiple ClamAv servers, SquidClamav is able to do failover
347 between them. You just have to set 'clamd_ip' to a list of IP addresses
348 separated by a comma. Do not insert space characters in this list or it
349 will break all. For example:
350 clamd_ip 192.168.1.5,192.168.1.13,192.168.1.9
352 clamd_port 3310
353 timeout 1
354 You can set up to 5 clamd servers. The clamd port must be the same for
356 all these servers as 'clamd_port' only accepts one single value.
357 SquidClamav will always connect to the first IP address available. If
359 this fails it will try the next defined IP address after 1 second. When
360 a connect can be established SquidClamav will reuse this last "working"
361 IP address first to not slow down process the next time.
362 If you think 1 second is a low value, you can change the connect
364 timeout by editing file squidclamav.conf and set the 'timeout'
365 directive to a higher value. For example :
366 timeout 2
368 Value must be set in seconds. Do not set it too high (< 5) or you can
370 slow down everything.
371 Redirection
373 URL redirect
375 When a virus is detected SquidClamav needs to redirect the client to a
377 warning page. The SquidClamav distribution contains a set of Perl CGI
378 scripts with different languages that you can use. To specify this
379 redirection you have to have to specify a redirect URL to the
380 'redirect' directive as follow:
381 redirect http://proxy.samse.fr/cgi-bin/clwarn.cgi
383 Take a look in the cgi-bin directory to see all translations of this
385 cgi script.
386 Squidclamav will pass the following parameters to this CGI:
388 url=ORIGNAL_HTTP_REQUEST
390 virus=NAME_OF_THE_VIRUS
391 source=DOWNLOADER_IP_ADDRESS
392 user=DOWNLOADER_IDENT
393 If this directive is disabled squidclamav will use c-icap error
395 templates
396 to report issues. See below.
397 Using c-icap template instead of redirect scripts
399 If the redirect directive is not set, SquidClamav will attempt to load
401 a template up from disk and send this back to the user. By default this
402 template is found at the following path:
403 /usr/share/c_icap/templates/squidclamav/en/MALWARE_FOUND
405 Available format tokens are all of those available to the LogFormat
407 directive of c-icap, plus an additional token:
408 %mn - formatted name of the malware, as given by ClamAV.
410 Notice redirection into log file
412 To log every redirection enable the 'logredir' configuration directive:
414 logredir 1
416 By default it is disabled as you can also log this information with the
418 cgi-script or send an email.
419 Maximun file size scanned
421 The maxsize directive allows one to disable virus scan completely for
423 files bigger than the value in bytes. Default is 0, no size limit as
424 you may want to control download size into squid.conf or clamd.
425 maxsize 2M
427 If you want to abort virus scan after a certain amount of data you must
429 take a look at the clamd configuration directive 'StreamMaxLength' that
430 will close a stream when the given size is reached.
431 DNS lookup of client IP address
433 Directive dnslookup allow you to enable / disable DNS lookup of all
435 client IP address. Default is enabled:
436 dnslookup 1
438 to preserve backward compatibility. You should deactivate this feature
440 if you don't use trustclient with hostname in the regexp or if you
441 don't have a DNS on your network. Disabling it will also speed up
442 squidclamav.
443 Multipart content
445 Clamd supports decoding email style multipart content and scan each
447 part. Unless clamd receives a Content-Type header it can't know how to
448 break up the multipart content and so it tries to scan the entire body
449 as one file, even if parts are base64 encoded. Enabling the 'multipart'
450 directive:
451 multipart 0
453 will force detection of multipart content and sends a To: and Content-
455 Type header to clamd before the rest of the body. Disabled by default
456 for backward compatibility.
457 Safebrowsing
459 ClamAV 0.95 introduced support for Google Safe Browsing database. The
461 database is packed inside a CVD file and distributed through ClamAv
462 mirror network as safebrowsing.cvd. This feature is disabled by default
463 on all clamav installations.
464 In order to enable this feature, you must first add "SafeBrowsing Yes"
466 to freshclam.conf. There is no option in clamd.conf. If the engine
467 finds Google Safe Browsing files in the database directory, ClamAV will
468 enable safe browsing. To turn it off you need to update freshclam.conf
469 and remove the safebrowsing files from the database directory before
470 restarting clamd.
471 Then to enable this feature into SquidClamav you have to enable the
473 following configuration directive.
474 safebrowsing
476 Enable / Disable Clamav Safe Browsing feature. You mus have enabled
477 the corresponding behavior in clamd by enabling SafeBrowsing into
478 freshclam.conf Enabling it will first make a safe browsing request
479 to clamd and then the virus scan request.
480 URL rejection
482 SquidClamav allows to reject certain URL based on a regular expression.
484 In order to enable this feature, you must first add "reject_url
486 pattern" to freshclam.conf.
487 reject_url
489 Allow to specify a regular expression used to reject any matching
490 URL. For example:
491 reject_url ^[^\?#]+\.(ade|adp|app|asd|asf|asx|bas|bat|cab|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)([\?#].*)?$
493 Control virus scan
495 There is two scan mode to fully control squidclamav behavior. The first
497 and historical mode is "ScanAllExcept" that scans everything by
498 default. This mode can be controlled by directives: abort,
499 abortcontent, whitelist, trustuser and trustclient.
500 scan_mode ScanAllExcept
502 The second mode since squidclamav version 7 is "ScanNothingExcept" that
504 will scan nothing but the content controlled by the scan, scancontent,
505 blacklist, untrustuser and untrusted client.
506 scan_mode ScanNothingExcept
508 Any other value for the scan_mode directive will force the
510 "ScanAllExcept" mode. This guarantee the backward compatibility with
511 older squidclamav version.
512 abort
514 The 'abort' directive will let you disable virus scanning at URL
515 level (not chained program). When the URL matches the regex
516 pattern, SquidClamav falls back to Squid immediately after the call
517 to the chained program, if one is defined there.
518 For example:
520 abort \.squid-cache\.org
522 abort .*\.(png|gif|jpg)$
523 The first regexp will exclude any file hosted on domain
525 squid-cache.org from virus scanning, the last one will exclude all
526 PNG, GIF and JPEG image from scanning.
527 Only used in "ScanAllExcept" mode.
529 abortcontent
531 The 'abortcontent' directive allows you to exclude any file from
532 virus scanning, whose Content-Type matches the regex pattern. This
533 directive costs more time because SquidClamav needs to download the
534 HTTP header for a file with a HEAD request. Note that some sites do
535 not answer to HEAD requests so the content type will not be able to
536 be retrieved so they will be scanned.
537 Example:
539 abortcontent ^image\/.*$
541 abortcontent ^video\/x-flv$
542 The first directive will complete the "abort .*\.(png|gif|jpg)$"
544 previous directive to match dynamic image or with parameters at
545 end. The second will allow your users to view streamed video
546 instantly.
547 Only used in "ScanAllExcept" mode.
549 whitelist
551 The 'whitelist' configuration directive allows you to disable
552 chained program and virus scan at URL level. When the given pattern
553 matches the URL, SquidClamav falls back to Squid instantly.
554 For example:
556 whitelist \.clamav\.net
558 will deliver any files from hosts on clamav.net domain directly.
560 You can also use a file containing all regex that might be
562 whitelisted and provide the file name to the whitelist directive.
563 Suppose that you have a file named
564 /usr/local/c-icap/etc/sc_whitelist with the following content:
565 \.clamav\.net
567 \.darold\.net
568 then you just have to set whitelist in squidclamav.conf as follow:
570 whitelist /usr/local/c-icap/etc/sc_whitelist
572 the file must contain only one regex per line and no extra
574 character.
575 Only used in "ScanAllExcept" mode.
577 trustuser
579 The 'trustuser' directive allows you to disable chained program and
580 virus scan when an ident matches the search pattern. On regex found
581 SquidClamav falls back to Squid instantly. Of course you must have
582 Squid authentication helper enabled.
583 For example:
585 trustuser administrator
587 will let user logged as administrator to not be bored by chained
589 program and virus scan.
590 Only used in "ScanAllExcept" mode.
592 trustclient
594 The 'trustclient' directive allows you to disable chained program
595 and virus scan if the client source IP address or DNS name match
596 the search pattern. The source IP address can be a single IP
597 address or an address range following the given regex pattern.
598 For example:
600 trustclient ^192\.168\.1\.1$
602 trustclient ^192\.168\.1\..*$
603 trustclient ^mypc\.domain\.dom$
604 The first and the last entry will disable chained program and virus
606 scan for a single computer and the second will do for en entire
607 class C network.
608 Only used in "ScanAllExcept" mode.
610 scan
612 The 'scan' directive will let you enable virus scanning at URL
613 level.
614 For example:
616 scan .*\.(doc|docx|pdf|xls)$
618 The regexp will force virus scanning for extensions .doc, .docx,
620 .pdf and .xls.
621 Only used in "ScanNothingExcept" mode.
623 scancontent
625 The 'scancontent' directive allows you to force virus scanning for
626 some files whose Content-Type matches the regex pattern. This
627 directive costs more time because SquidClamav needs to download the
628 HTTP header for a file with a HEAD request. Note that some sites do
629 not answer to HEAD requests so the content type will not be able to
630 be retrieved so they will be scanned.
631 Example:
633 scancontent ^application\/.*$
635 Only used in "ScanNothingExcept" mode.
637 blacklist
639 The 'blacklist' configuration directive allows you to force virus
640 scan at URL level.
641 For example:
643 whitelist \.badsite\.com
645 will force scanning any files from hosts on badsite.com domain.
647 You can also use a file containing all regex that might be
649 blacklisted and provide the file name to the blacklist directive.
650 Suppose that you have a file named
651 /usr/local/c-icap/etc/sc_blacklist with the following content:
652 \.badsite\.com
654 \.getyourvirus\.org
655 then you just have to set blacklist in squidclamav.conf as follow:
657 blacklist /usr/local/c-icap/etc/sc_blacklist
659 the file must contain only one regex per line and no extra
661 character.
662 Only used in "ScanNothingExcept" mode.
664 untrustuser
666 The 'untrustuser' directive allows you to force virus scan when an
667 ident matches the search pattern. Of course you must have Squid
668 authentication helper enabled.
669 For example:
671 untrustuser fakeuser
673 Only used in "ScanNothingExcept" mode.
675 untrustclient
677 The 'untrustclient' directive allows you to force virus scan if the
678 client source IP address or DNS name match the search pattern. The
679 source IP can be a single IP address or an address range following
680 the given regex pattern.
681 For example:
683 untrustclient ^192\.168\.1\.1$
685 untrustclient ^192\.168\.1\..*$
686 untrustclient ^mypc\.domain\.dom$
687 The first and the last entry will force virus scan for a single
689 computer and the second will do for en entire class C network.
690 Only used in "ScanNothingExcept" mode.
692 Libarchive support
694 Allow squidclamav to uncompress archives and filter according to user-
696 defined rules before passing them to clamav. See directives below for
697 more details.
698 enable_libarchive
700 Enable/disable use of libarchive by SquidClamav. Disabled by
701 default. Note that if libarchive is not available on your server
702 enabling this feature will have no effect. When libarchive headers
703 are not present the code to support libarchive in squidclamav is
704 not compiled.
705 ban_archive_entry
707 Block matching archive entries. For example: zip files containing
708 threats such as ransomeware that are not yet detected by clamav or
709 other antivirus software (typically 5KB zip files containing a cab
710 file or a vbe script). Here is the value set in the configuration
711 file if enabled:
712 ban_archive_entry ^.*\.(ade|adp|app|asd|asf|asx|bas|bat|cab|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh)$
714 ban_max_entries
716 Maximum number of entries in an archive in order to block it if
717 there's at least one match. Archives with more than ban_max_entries
718 will not be blocked even if there are matches. A value of 0 (or
719 commented) will ignore the number of entries in an archive.
720 Suggested value: 1.
721 ban_max_matched_entries
723 Maximum number of matched entries in an archive in order to block
724 it. Archives with more than ban_max_matched_entries matches will
725 not be blocked. A value of 0 (or commented) will ban an archive
726 when there's at least one entry match. Suggested value: 1.
727 banmaxsize
729 Maximum size of an archive that may be opened. Any file bigger that
730 this value will not be scanned. Suggested value: 2M.
731 recoverpath
733 Path where banned archives are stored (libarchive). Hard-coded file
734 format:
735 banned_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
737 USERNAME and CLIENTIP are available when enabling
739 icap_send_client_ip and icap_send_client_username in squid.conf.
740 Check clwarn.cgi example to see how you can retrieve the file name
741 and serve it via http.
742 recovervirus
744 Enable if virus files should also be copied to recoverpath. Hard-
745 coded file format:
746 virus_USERNAME_CLIENTIP_UNIXTIME_RAND(99).FILEEXTENSION
748 Otherwise only archives containing ban_archive_entry matches will
750 be copied.
751 Testing SquidClamav
753 As SquidClamav is a c-icap service, it can not be run at console as an
754 interactive program. To check what is going wrong, you must edit
755 c-icap.conf file, set DebugLevel to 3 and enable ServerLog. Then check
756 for lines with squidclamav string in the log file which is defined with
757 ServerLog in squidclamav's config.
758 Performance
760 With SquidClamav the way to tune your service is to tune c-icap server
761 and clamd daemon. On heavy http access, putting the clamd daemon on a
762 dedicated server with multiple CPU will really help.
763 If you experience Squid "ICAP protocol error" (with bypass enabled)
765 please consider increasing the following c-icp parameters:
766 StartServers, MaxServers, MinSpareThreads, MaxSpareThreads,
767 ThreadsPerChild. Increasing MaxThreads parameter in clamd.conf may also
768 help.
769
771 Please report any bugs, patches, discussion, etc. to <gilles AT darold
772 DOT net>.
773
775 If you need new features let me know at <gilles AT darold DOT net>.
776 This helps a lot to develop a better/useful tool.
777
779 Any contribution to build a better tool is welcome, you just have to
780 send me your ideas, features requests or patches and they will be
781 applied.
782
784 Gilles Darold <gilles AT darold DOT net>
785
787 Thanks to Squid-cache.org, Clamav.net and c-icap.sf.net for their great
788 software.
789 Special thanks to Christos Tsantilas for his implementation of the
791 c-icap server. Lots of SquidClamav source code has been learned or
792 simply cut and pasted from the source code of his clamav service.
793 I must also thank all the great contributors and all others who help to
795 build a useful and reliable product. They are all cited in ChangeLog
796 file.
797
799 Copyright (c) 2005-2023 Gilles Darold - All rights reserved.
800 Some code is Copyright (C) 2004-2008 Christos Tsantilas
802 This program is free software: you can redistribute it and/or modify it
804 under the terms of the GNU General Public License as published by the
805 Free Software Foundation, either version 3 of the License, or any later
806 version.
807 This program is distributed in the hope that it will be useful, but
809 WITHOUT ANY WARRANTY; without even the implied warranty of
810 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
811 General Public License for more details.
812 You should have received a copy of the GNU General Public License along
814 with this program. If not, see < http://www.gnu.org/licenses/ >.
815perl v5.34.0 2023-04-22 SQUIDCLAMAV(1)