ICAP Anti-Virus the free way … UPDATE

So I said I’d keep an eye on c-icap, and I have, kinda. The initial installation went well and I was happy to have a nice new service on my LAN but a couple of ‘niggles’ have appeared.

The first is this.

Here’s the output from Safari when an attempted virus download occurs

icap

I get the same from Firefox. IE on the other hand gets this –

ie_icap

A slight niggle then. Nothing big, just enough to make a tinkerer sweat :)

So, my first thought was that IE didn’t like the 403 Forbidden response it gets from c-icap which is weird as pcaps from both showed the same response being sent.

IE:

c-icap-ie

Now Firefox:

c-icap-fox

I should say that Proxies aren’t the cause here. The effect is the same whether you use a ProxySG from Blue Coat and the free Squid-Cache, believe me, I’ve tried. The response sent from c-icap to the client causes one browser to display the page correctly.

I submitted a post to the c-icap mailing list at SourceForge asking about the problem and received a response very quickly from Christos Tsantilas, the maintainter of the software. IE doesn’t handle the 403 response well (it’s too strict) so he suggested changing the source code so that a ‘200 OK’ response is sent from c-icap instead of the usual 403.

The code changed was located in the /services/clamav/srv_clamav.c file of the install source directory:

ci_respmod_add_header(req, "HTTP/1.1 403 Forbidden");

Changed too:

ci_respmod_add_header(req, "HTTP/1.1 200 OK");

I recompiled the code (after make and make clean were run to start afresh) with ‘./configure –with-clamav && make && make install’.

Once that was done I restarted my c-icap service and voila!

ie-cicap-good

Confirmed via a pcap.

c-icap_tcp-stream

My thanks to Tsantilas Christos for his assistance on resolving the problem. I hope that c-icap continues to grow as a package in both features and popularity.

Leave a Reply