Forum Discussion
Virus Scanning with ClamAV
I've read some really good information regarding the integration of F5 to antivirus for file scanning, but wanted to verify something before proceeding. I have a F5 Big-IP (11.6) with the ASM module and have a clamav daemon running in the enterprise. From what I've read, I've derived that I need a proxy to handle the ICAP comms between the two nodes. Is this correct? Other than that, am I missing something? So comms would be: F5 ASM -> request to Proxy -> proxy to clamav -> clam sends response code to proxy -> proxy to F5.
Thanks in advance
7 Replies
- IheartF5_45022
Nacreous
Hi - no you shouldn't need a proxy as the LTM acts as a proxy have you read this https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-4-0/13.html?
Read it and then ask any questions.
- M_Hallster_2314
Nimbostratus
Thank you IheartF5 for the response. Now that I've done more reading, I should've said ICAP Server instead of proxy. From additional reading and looking at the diagram in the link you provided, I would need to standup an ICAP server (pretty sure ClamAV does not provide this capability). With all that said, from my understanding with Big-IP 10.6, all you have to do is configure anti-Virus Protection (under Integrated Services) and files (under 20MB) are automatically sent to the ICAP server (see inserted pic).
- AP
Nimbostratus
Hi, How did you go integrating with ClamAV? Any issues? I'm currently integrating ASM with SquidClamAV and having issues, however it seems the Squid component is really redundant since the F5 is the proxy, so I'm not sure that the 3rd party looking after SquidClamAV server has their solution configured to work as just an ICAP Server + ClamAV. Wondering if anyway has any experience or tips with SquidClamAV? Thanks - AP
Nimbostratus
For anyone interested, it seems that C-ICAP Server, which is commonly used in conjuction with ClamAV and is also part of the SquidClamAV solution, does not work with file uploads as part of POST requests. In particular, we were trying to send multi-part form file uploads for scanning, but CLAMAV doesn't receive the full payload. The c-icap developer himself even mentions: "The virus_scan module can not scan uploaded data (eg those which included in a POST request). It scans only downloaded data."
- Stanislas_Piro2
Cumulonimbus
Hi All,
I was interested to test ICAP integration with CLAMAV (for testing purpose) with ASM.
On a Ubuntu server configured with only SSH server and IP address fixed (better for a server), I used the following commands to install C-ICAP with clamAV and make it available for ASM:
Install packages with dependencies apt-get update apt-get -y install c-icap apt-get -y install libc-icap-mod-virus-scan Configure c-icap with expected parameters sed -i.back /etc/c-icap/c-icap.conf -e 's/${prefix}/\/usr/' sed -i.back /etc/c-icap/c-icap.conf -e "s/^ServerName.*/ServerName $(hostname)/g" echo "Include virus_scan.conf" >> /etc/c-icap/c-icap.conf sed -i.back /etc/c-icap/virus_scan.conf -e "/^Include clamav_mod.conf/s/^//" Start the service ... don't know why not enabled sed -i.back /etc/default/c-icap -e 's/START=no/START=yes/' Restart services service c-icap restart service clamav-freshclam restart
On the ASM, configure the following parameters
-
Security ›› Options : Application Security : Advanced Configuration : System Variables
- icap_uri : /avscan (default value is /reqmod)
- virus_header_name : let default value X-Virus-Name,X-Infection-Found
-
Security ›› Options : Application Security : Integrated Services : Anti-Virus Protection
- Server Host Name/IP Address : IP of ubuntu server
- Server Port Number : 1433 (default port)
- Guarantee Enforcement : Enabled
For each security Policy :
-
Security ›› Application Security : Integrated Services : Anti-Virus Protection
- Inspect file uploads within HTTP requests : Enabled
-
Security ›› Application Security : Policy Building : Learning and Blocking Settings (version 13 menu... Security ›› Application Security : Blocking in previous versions)
- Virus Detected : Learn, Alarm, Block
- Gym
Cirrus
Why would you set "Learn" in the policy? The article https://support.f5.com/csp/article/K70941653 only says Alarm and Block. Why would you want to learn a virus?
I think you have a typo as well: the default port would be 1344, not 1433 (MS-SQL).
- koolits_71
Employee
Nice post.
Will try this in the lab and see if it works.
-
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com