Forum Discussion

M_Hallster_2314's avatar
M_Hallster_2314
Icon for Nimbostratus rankNimbostratus
Oct 28, 2015

Virus Scanning with ClamAV

I've read some really good information regarding the integration of F5 to antivirus for file scanning, but wanted to verify something before proceeding. I have a F5 Big-IP (11.6) with the ASM module and have a clamav daemon running in the enterprise. From what I've read, I've derived that I need a proxy to handle the ICAP comms between the two nodes. Is this correct? Other than that, am I missing something? So comms would be: F5 ASM -> request to Proxy -> proxy to clamav -> clam sends response code to proxy -> proxy to F5.

 

Thanks in advance

 

6 Replies

Sort By
  • M_Hallster_2314's avatar
    M_Hallster_2314
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2015

    Thank you IheartF5 for the response. Now that I've done more reading, I should've said ICAP Server instead of proxy. From additional reading and looking at the diagram in the link you provided, I would need to standup an ICAP server (pretty sure ClamAV does not provide this capability). With all that said, from my understanding with Big-IP 10.6, all you have to do is configure anti-Virus Protection (under Integrated Services) and files (under 20MB) are automatically sent to the ICAP server (see inserted pic).

     

    • AP's avatar
      AP
      Icon for Nimbostratus rankNimbostratus
      Mar 03, 2016
      Hi, How did you go integrating with ClamAV? Any issues? I'm currently integrating ASM with SquidClamAV and having issues, however it seems the Squid component is really redundant since the F5 is the proxy, so I'm not sure that the 3rd party looking after SquidClamAV server has their solution configured to work as just an ICAP Server + ClamAV. Wondering if anyway has any experience or tips with SquidClamAV? Thanks
    • AP's avatar
      AP
      Icon for Nimbostratus rankNimbostratus
      Mar 08, 2016
      For anyone interested, it seems that C-ICAP Server, which is commonly used in conjuction with ClamAV and is also part of the SquidClamAV solution, does not work with file uploads as part of POST requests. In particular, we were trying to send multi-part form file uploads for scanning, but CLAMAV doesn't receive the full payload. The c-icap developer himself even mentions: "The virus_scan module can not scan uploaded data (eg those which included in a POST request). It scans only downloaded data."
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 29, 2017

    Hi All,

    I was interested to test ICAP integration with CLAMAV (for testing purpose) with ASM.

    On a Ubuntu server configured with only SSH server and IP address fixed (better for a server), I used the following commands to install C-ICAP with clamAV and make it available for ASM:

     Install packages with dependencies
apt-get update
apt-get -y install c-icap
apt-get -y install libc-icap-mod-virus-scan

 Configure c-icap with expected parameters
sed -i.back /etc/c-icap/c-icap.conf -e 's/${prefix}/\/usr/'
sed -i.back /etc/c-icap/c-icap.conf -e "s/^ServerName.*/ServerName $(hostname)/g"
echo "Include virus_scan.conf" >> /etc/c-icap/c-icap.conf
sed  -i.back /etc/c-icap/virus_scan.conf -e "/^Include clamav_mod.conf/s/^//"

 Start the service ... don't know why not enabled
sed -i.back /etc/default/c-icap -e 's/START=no/START=yes/'

 Restart services
service c-icap restart
service clamav-freshclam restart

    On the ASM, configure the following parameters

    • Security ›› Options : Application Security : Advanced Configuration : System Variables

      • icap_uri : /avscan (default value is /reqmod)
      • virus_header_name : let default value X-Virus-Name,X-Infection-Found

    • Security ›› Options : Application Security : Integrated Services : Anti-Virus Protection

      • Server Host Name/IP Address : IP of ubuntu server
      • Server Port Number : 1433 (default port)
      • Guarantee Enforcement : Enabled

    For each security Policy :

    • Security ›› Application Security : Integrated Services : Anti-Virus Protection
      • Inspect file uploads within HTTP requests : Enabled
    • Security ›› Application Security : Policy Building : Learning and Blocking Settings (version 13 menu... Security ›› Application Security : Blocking in previous versions)
      • Virus Detected : Learn, Alarm, Block
    • Gym's avatar
      Gym
      Icon for Cirrus rankCirrus
      Jun 12, 2020

      Why would you set "Learn" in the policy? The article https://support.f5.com/csp/article/K70941653 only says Alarm and Block. Why would you want to learn a virus?

       

      I think you have a typo as well: the default port would be 1344, not 1433 (MS-SQL).