On 08/07/15 17:33, Rafael Ferreira wrote: > Well, the progress you see is likely to be transfer, not processing, time > since that’s where most time is going to be spent for a sizable file anyways > (under normal circumstances) so I doubt clamd is your main latency source > here. ? I said clam was the only one that performed well - not the other way around! :-)
> Can you elaborate on your setup a bit? Is the ICAP proxy in-line to your > users or alongside another caching proxy like squid? You can't use ICAP inline - it's always used in conjunction with a proxy server. We use squid. We used to use "client->squid->havp->(clam|sophie)->Internet" with great success, but havp is dead and showing it's age (some of the newer HTTP options confuse it) and so we want to move to ICAP, primarily because it involves the least number of changes (ie it's either that or throw away squid entirely) c-icap using clam seems to be able to "stream": a large download starts flowing to the client very quickly (which is what havp as an "AV proxy" did really well too) - whereas all the commercial ones I've tried seem to effectively block until the content is passed to ICAP, so it can run AV over the file in it's entirety and then throws it at the client. End result is wigged out users. (BTW: they don't totally block - but they "trickle" at such an absurd rate that they might as well have blocked) I must say all the commercial ICAP products are always part of a "full" proxy server - so I wonder if they actually work fine if you use their proprietary product instead of what I'm trying to do (ie maybe this is a marketing trick). I find it hard to believe anyone would want to buy these products as they stand. You know people: they want security with *no* overhead/inconvenience ;-) I'm also aware of the consequence of not scanning the full file in advance - it could miss something - but compromise is acceptable: a product that scans in streamed chunks, pushing each finished piece to the client, and then at the end is able to do the "proper scan" can still drop the last chunk - breaking the webpage (and therefore corrupting malware executables or zip files - which are 90% of the baddies) and saving the client. If the only "proper" solution is to block and scan the entire webpage (I keep using that phrase because 99.999% of ICAP queries are of webpages) before handing anything to the client, well that would explain why not enough organizations do AV content filtering of web traffic: their IT groups got lynched when they tried to implement it ;-) -- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
