idavollen
commented
1 year ago for instance, https://docs.opswat.com/mdicap/v5.1.0/operating/icap-response-headers response headers are used by the MetaDefender ICAP Server
How about ICAPeg?
Open idavollen opened 1 year ago
idavollen
commented
1 year ago for instance, https://docs.opswat.com/mdicap/v5.1.0/operating/icap-response-headers response headers are used by the MetaDefender ICAP Server
How about ICAPeg?
idavollen
commented
1 year ago 
mahnouman
commented
1 year ago Hello @idavollen ,,, the "X-" headers are custom ICAP headers, you can pass any information into these, what we are currently implemented is X-ICAP-Metadata which is generating a random string to be able to trace the request across proxy, ICAP server and any API service.
You can trace this development and add any custom ICAP header you wish to hold any data, like virus name or similar, if you have specific requirements, would be great to hear about. Thanks.
idavollen
commented
1 year ago Hello @mahnouman Thanks for your feedbacks!
How do you think of making it possible to add a configurable custom ICAP response header, e.g. custom_icap_resp_header=X-Virus-Name for ClamAV in the config.toml file? When the clamav.go has got the result.Status == Found And the c.methodName != utils.ICAPModeResp, we could add the found Virus by ClamAV to the configurable custom ICAP response header from the config.toml, i.e. adding this code line under https://github.com/egirna/icapeg/blob/master/service/services/clamav/clamav.go#L123
var customIcapRespHeader = readValues.ReadValuesBool("clamav.custom_icap_resp_header") || "X-Virus-Name"
serviceHeaders[customIcapRespHeader] = result.DescriptionICAP server:172.30.9.32, ip:10.129.8.75, port:1344
This the testing results with c-icap-client:
{"reason":"File is not safe","service_name":"clamav","requested_url":"http://dev.no","identifier_id":"CLAMAV ID"} ICAP HEADERS: ICAP/1.0 200 OK Date: Thu, 09 Mar 2023 08:50:14 GMT Encapsulated: req-hdr=0, req-body=25 ISTag: epoch-1678351809 Service: clamav service X-ICAPeg-Shadow-Service: false X-Virus-Name: Pdf.Dropper.Agent-7001939-0
REQMOD HEADERS: GET HTTP/1.0 Host:
mahnouman
commented
1 year ago Hello @idavollen Working on that,. will keep you updated.
When the AV Scanning results of a posted file, e.g ZIP or PDF with ClamAV is that this file is not safe, that is, infected, how does the ICAP response from ICAPeg look like and how our ICAP client can interpret the ICAP response that this uploaded file is infected?
2023-02-22T15:36:16.203Z info general-functions/general-functions.go:49 extracting the body of HTTP message 2023-02-22T15:36:16.204Z info general-functions/general-functions.go:262 getting the file name 2023-02-22T15:36:16.204Z info general-functions/general-functions.go:442 getting the mime extension of the HTTP message body 2023-02-22T15:36:16.204Z debug general-functions/general-functions.go:462 HTTP message body mime extension is zip 2023-02-22T15:36:16.204Z info general-functions/general-functions.go:71 checking the extension (reject or bypass or process) 2023-02-22T15:36:16.204Z debug general-functions/general-functions.go:75 extension is process 2023-02-22T15:36:16.204Z debug clamav/clamav.go:84 sending the HTTP msg body to the ClamAV through antivirus socket 2023-02-22T15:36:21.205Z debug clamav/clamav.go:111 clamavFile is not safe 2023-02-22T15:36:21.207Z debug api/icap-request.go:189 adding the headers which the service wants to add them in the ICAP response 2023-02-22T15:36:21.207Z debug api/icap-request.go:198 checking if shadow service mode is enabled to add logs instead of returning another 2023-02-22T15:36:21.207Z debug api/icap-request.go:237 clamav returned ICAP response with status code 200