Приветвую!
Помогите разобраться со SQUID и icapd.
Freebsd 7, Squid 3.0 Stable 13.
Все установил в соответсвии с инструкцией. Все друг друга видят, а на вирусы Сквид не реагирует никак.
Мистика, уже всю голову сломал.
Tue Apr 14 11:19:05 2009 (18911): DEBUG Going for infinitely waiting for 6 (6/3) descriptor...Tue Apr 14 11:19:07 2009 (18911): DEBUG icap header - 'REQMOD icap://localhost:1344/respmod ICAP/1.0
'
Tue Apr 14 11:19:07 2009 (18911): DEBUG icap_handle: enchain non empty
Tue Apr 14 11:19:07 2009 (18911): DEBUG icap_hold_entities: next entity offset == 0; ennode->type=req-hdr
Tue Apr 14 11:19:07 2009 (18911): DEBUG icap_hold_entities: next entity offset == 512; ennode->type=null-body
Tue Apr 14 11:19:07 2009 (18911): DEBUG icap_send_entities: dump header (size = 512):
[GET http://www.eicar.org/download/eicar_com.zip HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.eicar.org/anti_virus_test_file.htm
Accept-Language: ru
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; InfoPath.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: www.eicar.org
]
Tue Apr 14 11:19:07 2009 (18911): DEBUG Going for infinitely waiting for 6 (6/3) descriptor...Tue Apr 14 11:19:12 2009 (18911): DEBUG icap header - 'REQMOD icap://localhost:1344/respmod ICAP/1.0
'
Tue Apr 14 11:19:12 2009 (18911): DEBUG icap_handle: enchain non empty
Tue Apr 14 11:19:12 2009 (18911): DEBUG icap_hold_entities: next entity offset == 0; ennode->type=req-hdr
Tue Apr 14 11:19:12 2009 (18911): DEBUG icap_hold_entities: next entity offset == 508; ennode->type=null-body
Tue Apr 14 11:19:12 2009 (18911): DEBUG icap_send_entities: dump header (size = 508):
[GET http://www.eicar.org/download/eicar.com HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.eicar.org/anti_virus_test_file.htm
Accept-Language: ru
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; InfoPath.1; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: www.eicar.org
]
Tue Apr 14 11:19:12 2009 (18911): DEBUG Going for infinitely waiting for 6 (6/3) descriptor...Tue Apr 14 11:20:05 2009 (18909): DEBUG ICAP client close connection -> exit from processTue Apr 14 11:20:05 2009 (18912): DEBUG ICAP client close connection -> exit from processTue Apr 14 11:20:05 2009 (18910): DEBUG ICAP client close connection -> exit from processTue Apr 14 11:20:13 2009 (18911): DEBUG ICAP client close connection -> exit from processTue Apr 14 11:21:05 2009 (18932): DEBUG icap header - 'REQMOD icap://localhost:1344/respmod ICAP/1.0
Squid Icapd
Автор
radionuk
, апр 14 2009 15:06
23 ответов в этой теме
#2
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 14 Апрель 2009 - 15:12
Вы неверно подключили drweb-icapd к squid -
использовали reqmod вместо respmod
процерьте еще раз документацию по icapd и Ваши настройки в squid.conf
использовали reqmod вместо respmod
процерьте еще раз документацию по icapd и Ваши настройки в squid.conf
#3
radionuk
-
- Posters
- 5 Сообщений:
Newbie
Отправлено 14 Апрель 2009 - 15:24
Спасибо Вам большое!
Вы абсолютно правы!
Буду продолжать тестирование.
Сеть из примерно 100 машин, интересно будет ли тормозить..........
Вы абсолютно правы!
Буду продолжать тестирование.
Сеть из примерно 100 машин, интересно будет ли тормозить..........
#4
radionuk
-
- Posters
- 5 Сообщений:
Newbie
Отправлено 15 Апрель 2009 - 12:40
Извините - есть еще вопрос.
А есть возможность как-то указать белый список именно сайтов, которые не надо проверять на вирусы?
А есть возможность как-то указать белый список именно сайтов, которые не надо проверять на вирусы?
#5
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 15 Апрель 2009 - 12:42
да, настройка WhiteHosts в файле drweb-icapd.ini
#6
radionuk
-
- Posters
- 5 Сообщений:
Newbie
Отправлено 15 Апрель 2009 - 13:15
А какой формат записи самих хостов, я написал для примера так (создал файл и прописал его в конфиге)
eicar.org
Файл с вирусом все равно блокируется
eicar.org
Файл с вирусом все равно блокируется
#7
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 15 Апрель 2009 - 13:26
Вы должны создать файл с любым именем (главное, что бы права были) и внутри прописать хост eicar.org
если не будет работать, то приведите пожалуйста полные логи запуск и обращения к сайту
если не будет работать, то приведите пожалуйста полные логи запуск и обращения к сайту
#8
radionuk
-
- Posters
- 5 Сообщений:
Newbie
Отправлено 15 Апрель 2009 - 14:11
все хитрее
он был в кэше сквида, поэтому и скачивался
после очистки кэша все заработало.
Спасибо!
он был в кэше сквида, поэтому и скачивался
после очистки кэша все заработало.
Спасибо!
#9
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 13:54
Вы неверно подключили drweb-icapd к squid -
использовали reqmod вместо respmod
процерьте еще раз документацию по icapd и Ваши настройки в squid.conf
Прошу прощения но у меня в squid.conf :
icap_enable on
icap_preview_enable on
icap_preview_size 0
icap_send_client_ip on
icap_persistent_connections on
icap_service service_1 respmod_precache 1 icap://localhost:1344/respmod
icap_class class_1 service_1
icap_access class_1 allow all
при попытке скачать с сайта http://www.eicar.org/anti_virus_test_file.htm файлик eicarcom2.zip выдает ошибку о вирусе, все оставльные файлы качает на ура без всяких предупреждений.
Может подскажите в какую сторону копать
#10
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 13 Май 2009 - 14:42
а кэш браузера/squid чистили? http://forum.drweb.com/public/style_emoticons/default/smile.png
#11
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 14:44
а кэш браузера/squid чистили? http://forum.drweb.com/public/style_emoticons/default/smile.png
да. все удалил и запустил с нуля ! не катит ! как и было
#12
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 13 Май 2009 - 15:00
тогда нужны подробные логи drweb-icapd.
#13
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 15:07
тогда нужны подробные логи drweb-icapd.
Самое что интересное там 0 (размер файла) . Смотрю по пути /var/drweb/log/drweb-icapd.log
права на файл и группу : drweb
#14
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 13 Май 2009 - 15:10
тогда нужны подробные логи drweb-icapd.
Самое что интересное там 0 (размер файла) . Смотрю по пути /var/drweb/log/drweb-icapd.log
права на файл и группу : drweb
попробуйте перезапустить drweb-icapd - в логах ничего не появилось?
покажите пожалуйста конфигурационный файл drweb-icapd
#15
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 15:25
тогда нужны подробные логи drweb-icapd.
Самое что интересное там 0 (размер файла) . Смотрю по пути /var/drweb/log/drweb-icapd.log
права на файл и группу : drweb
попробуйте перезапустить drweb-icapd - в логах ничего не появилось?
покажите пожалуйста конфигурационный файл drweb-icapd
файл drweb-icapd.ini:
# $Revision: 1.46 $
# 8<----------------------------------------------------------------
[Icapd]
# if at the start up the size of the log file is greater then
# MaxLogSize, then truncate this file set this value to 0 if you do
# not want to touch the log file at start up. The value of
# this parameter is not taken into account, if Logfile=syslog.
MaxLogSize = 1M
# Loglevel = bitwise ored constants:
# Sets the level of log entries. It is an arbitrary combination (sum)
# of the following values:
# -1 - do not output
# 0 - output information about errors and detected viruses
# 1 - output information of the INFO level: about checked clean files
# and other overhead information
# 2 - output general messages
# 4 - output chunk analysis messages
# 8 - output extended messages on fragments (chunks)
# 16 - output syntax analyzer's log
# 32 - output other debug messages
# Example. The loglevel 11 value sets outputting of the Dr.Web daemon
# messages, general messages and extended messages by fragments.
Loglevel = 1
# Log file name. You may specify 'syslog' as name, the report will be
# logged by means of syslogd system service. Using syslog, pay
# attention to SyslogFacility and SyslogPriority options. Since
# syslog has a few files to log different events and different degrees
# of their importance, you can find out where the daemon's report will
# be written to, basing on these two parameters and the contents of
# the configuration file syslog (usually /etc/syslogd.conf).
#
# Logfile = syslog
Logfile = /var/drweb/log/drweb-icapd.log
Logfile = syslog
# SyslogFacility = {Daemon|Mail|Local0 .. Local7} (Daemon)
# The type of subsystem through which the system service syslogd displays
# messages on events (fore more, please refer to the documentation on
# syslog).
SyslogFacility = Daemon
# SyslogPriority = {Warning|Notice|Info|Alert} (Info)
# The level of log output through syslogd
SyslogPriority = Info
#Specifies the email address of an administrator
Hostmaster = admin@laplandya.ru
# 8<----------------------------------------------------------------
# default actions against infected and/or suspisious objects:
#
# Incurable = truncate | report | move
# "truncate" mades server to return reply with Content-Length = 0.
# "report" mode returns template reports.
Incurable = report
# Suspicious = truncate | report | pass | move
# all the same, and "pass" returns content as it was received from DrWeb®
Suspicious = report
# Infected = truncate | report | cure(pass) | move
# the same with suspicious (a file was cured)
Infected = report
# Adware = truncate | report | pass | move
Adware = report
# Dialers = truncate | report | pass | move
Dialers = report
# Jokes = truncate | report | pass | move
Jokes = pass
# Riskware = truncate | report | pass | move
Riskware = pass
# Hacktools = truncate | report | pass | move
Hacktools = pass
# there was an error in archive check
# ArchiveRestriction = truncate | report | pass | move
# the same with suspicious
ArchiveRestriction = report
# if there was an error in drwebd
# DaemonError = truncate | report | pass | move
# all the same with suspicious
DaemonError = report
# if there was a skip object error (bad crc, symlink, etc.)
# SkipObject = truncate | report | pass | move
# the same with suspicious
SkipObject = pass
# if there are some problems with license
# LicenseError = truncate | report | pass | move
# the same with suspicious
LicenseError = report
# options
# whether to use heuristic analysis
Heuristic = yes
# Enable/disable "local scanning" mode.
LocalScan = yes
# 8<----------------------------------------------------------------
# runtime environment settings:
#
User = drweb
# Path to the temporary directory
Cache = /var/drweb/cache/
# error diagnostic templates; this is a path to directory, in
# contrast with "cache"
Templates = /etc/drweb/templates/icapd
# location of pid file
PidFile = /var/drweb/run/drweb_icapd.pid
# location of key file. If drweb-icapd is running under Control Agent
# control, value of this parameter is not taken into account.
Key = /opt/drweb/drweb32.key
# List of files with hosts that must be blocked
BlockHosts =
# List of files with hosts that will not be checked for viruses
WhiteHosts =
# Maximum size of transfer data
MaxBlocksize = 10m
# sets the port to which the icap-clients (for example, Squid) should
# connect when connecting to drweb-icapd
BindPort = 1344
# sets the host where drweb-icapd resides
BindAddress = 127.0.0.1
# Sets addresses to the Dr.Web daemon separated by `,', and specified
# in the special format {FAMILY}:{ADDRESS}
# where FAMILY has one of the following values:
# inet - uses TCP/IP socket, and {ADDRESS} is {PORT}@{HOST}
# local - uses UNIX socket, and {ADDRESS} is {SOCKETFILE}
# pid - takes the daemon's address from the pid file, and {ADDRESS}
# is {PIDFILE}
# Examples:
# DrwebAddress = inet:3000@127.0.0.1
# DrwebAddress = local:/usr/local/drweb/run/drwebd.skt
# DrwebAddress = pid:/usr/local/drweb/run/drwebd.pid
# DrwebAddress = pid:/var/drweb/run/drwebd.pid, inet:3000@backup_server.example.com
# If setting the connection via the first address in the list fails, the
# "local scanning" mode is forcedly disabled
DrwebAddress = pid:/var/drweb/run/drwebd.pid
# Specifies the directory where quarantine will be located
PathToQuarantine = /var/drweb/infected
# The rights for files in the quarantine.
QuarantineFilesMode = 0660
# Timeout in seconds
Timeout = 300
# The parameter sets whether to send a notification to the administrator at
# the Hostmaster address about an attempt to open a 'bad' page.
SendMail = no
# The command executed to send a notification to the administrator about
# an attempt to open a 'bad' page.
# %s is replaced with the value of the Hostmaster parameter.
MailCommand = "/usr/sbin/sendmail -i -bm -f drweb -- %s"
# Time span in seconds within which repeated notifications about opening
# the same 'bad' page are not sent to the administrator. If the value is zero,
# the notification is sent every time a page is blocked.
MailCache = 60
# The list of files with the IP addresses and hosts allowed to access
# drweb-icapd. If the list is empty or no address is found in the
# stated files, drweb-icapd accepts connections from all clients.
AclList =
# Send the statistics on detected viruses to the Agent or not.
SendStat = no
# Maintain permanent connection with the proxy server or not.
KeepAlive = yes
# Enables/disables the preview pilot mode (required for proxy-servers
# which handle incorrectly the preview mode)
UsePreview = yes
# definition of MIME section
MimeStart
* scan 1M pass
application scan 1M pass
image scan 1M pass
message scan 1M pass
multipart scan 1M pass
text scan 1M pass
audio pass all
video pass all
application/x-mms-framed pass all
MimeEnd
#16
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 13 Май 2009 - 15:28
установить
Loglevel = 63
убрать строку
Logfile = syslog
затем перезапустить drweb-icapd
и скачать файл с вирусом на проверку
затем показать файл
/var/drweb/log/drweb-icapd.log
Loglevel = 63
убрать строку
Logfile = syslog
затем перезапустить drweb-icapd
и скачать файл с вирусом на проверку
затем показать файл
/var/drweb/log/drweb-icapd.log
#17
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 15:50
странно то что он мне показывает только icq, а вход на eicar не видно
#18
Anton Ivanov
-
- Posters
- 842 Сообщений:
Advanced Member
Отправлено 13 Май 2009 - 15:53
странно то что он мне показывает только icq, а вход на eicar не видно
значит squid пускает мимо icapd. еще раз проверяем кэши, настройки squid и его логи.
#19
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 15:57
странно то что он мне показывает только icq, а вход на eicar не видно
значит squid пускает мимо icapd. еще раз проверяем кэши, настройки squid и его логи.
сори, вот то что пишет после старта и стоп
Wed May 13 18:50:36 2009 (12129): DEBUG parse SyslogFacility = Daemon
Wed May 13 18:50:36 2009 (12129): DEBUG parse SyslogPriority = Info
Wed May 13 18:50:36 2009 (12129): DEBUG parse Hostmaster = admin@laplandya.ru
Wed May 13 18:50:36 2009 (12129): DEBUG parse Incurable = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Suspicious = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Infected = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Adware = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Dialers = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Jokes = pass
Wed May 13 18:50:36 2009 (12129): DEBUG parse Riskware = pass
Wed May 13 18:50:36 2009 (12129): DEBUG parse Hacktools = pass
Wed May 13 18:50:36 2009 (12129): DEBUG parse ArchiveRestriction = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse DaemonError = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse SkipObject = pass
Wed May 13 18:50:36 2009 (12129): DEBUG parse LicenseError = report
Wed May 13 18:50:36 2009 (12129): DEBUG parse Heuristic = yes
Wed May 13 18:50:36 2009 (12129): DEBUG parse LocalScan = yes
Wed May 13 18:50:36 2009 (12129): DEBUG parse User = drweb
Wed May 13 18:50:36 2009 (12129): DEBUG parse Cache = /var/drweb/cache/
Wed May 13 18:50:36 2009 (12129): DEBUG parse Templates = /etc/drweb/templates/icapd
Wed May 13 18:50:36 2009 (12129): DEBUG parse PidFile = /var/drweb/run/drweb_icapd.pid
Wed May 13 18:50:36 2009 (12129): DEBUG parse Key = /opt/drweb/drweb32.key
Wed May 13 18:50:36 2009 (12129): DEBUG parse BlockHosts =
Wed May 13 18:50:36 2009 (12129): DEBUG parse WhiteHosts =
Wed May 13 18:50:36 2009 (12129): DEBUG parse MaxBlocksize = 10m
Wed May 13 18:50:36 2009 (12129): DEBUG parse BindPort = 1344
Wed May 13 18:50:36 2009 (12129): DEBUG parse BindAddress = 127.0.0.1
Wed May 13 18:50:36 2009 (12129): DEBUG parse DrwebAddress = pid:/var/drweb/run/drwebd.pid
Wed May 13 18:50:36 2009 (12129): DEBUG Type 2 serv host /var/drweb/run/.daemon
Wed May 13 18:50:36 2009 (12129): DEBUG Type 1 serv 3000 host 127.0.0.1
Wed May 13 18:50:36 2009 (12129): DEBUG parse PathToQuarantine = /var/drweb/infected
Wed May 13 18:50:36 2009 (12129): DEBUG parse QuarantineFilesMode = 0660
Wed May 13 18:50:36 2009 (12129): DEBUG parse Timeout = 300
Wed May 13 18:50:36 2009 (12129): DEBUG parse SendMail = no
Wed May 13 18:50:36 2009 (12129): DEBUG parse MailCommand = "/usr/sbin/sendmail -i -bm -f drweb -- %s"
Wed May 13 18:50:36 2009 (12129): DEBUG parse MailCache = 60
Wed May 13 18:50:36 2009 (12129): DEBUG parse AclList =
Wed May 13 18:50:36 2009 (12129): DEBUG parse SendStat = no
Wed May 13 18:50:36 2009 (12129): DEBUG parse KeepAlive = yes
Wed May 13 18:50:36 2009 (12129): DEBUG parse UsePreview = yes
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: * = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: application = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: image = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: message = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: multipart = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: text = [scan <= 1048576 > pass]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: audio = [pass all]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level1: video = [pass all]
Wed May 13 18:50:36 2009 (12129): DEBUG mime_level2: application/x-mms-framed = [pass all]
Wed May 13 18:50:36 2009 (12129): DEBUG init: drweb-icapd starting
Wed May 13 18:50:36 2009 (12130): DEBUG TRY connect to host=/var/drweb/run/.daemon serv= type=local
Wed May 13 18:50:36 2009 (12130): DEBUG Connection ok
Wed May 13 18:50:36 2009 (12130): DEBUG drw_get_virus_num: loaded virus base /var/drweb/bases/drwtoday.vdb with 63 viruses
r/drweb/bases/drwnasty.vdb with 13534 viruses
Wed May 13 18:50:36 2009 (12130): INFO Start Dr.Web ® icapd ver 4.44.1 2008-1-15 Build:0
Wed May 13 18:50:56 2009 (12146): DEBUG Start child process
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - 'RESPMOD icap://localhost:1344/respmod ICAP/1.0
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - Host: localhost:1344
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - Date: Wed, 13 May 2009 12:50:56 GMT
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - Encapsulated: req-hdr=0, res-hdr=549, res-body=897
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - Preview: 0
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - Allow: 204
Wed May 13 18:50:56 2009 (12146): DEBUG icap header - X-Client-IP: 192.168.1.7
Wed May 13 18:50:56 2009 (12146): DEBUG Gotta handle request, respcode: 1; (preview=0)
Wed May 13 18:50:56 2009 (12146): DEBUG icap_handle: enchain non empty
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: getting request header; hpool=549
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: request header:
**[GET http://www.eicar.org/download/eicarcom2.zip HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.eicar.org/anti_virus_test_file.htm
Accept-Language: ru
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)
Proxy-Connection: Keep-Alive
Host: www.eicar.org
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: getting response header; hpool=348
Wed May 13 18:50:56 2009 (12146): DEBUG
icap_dump_entities: response header:
**[HTTP/1.1 200 OK
Date: Wed, 13 May 2009 12:53:36 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.4.8-0.dotdeb.0 with Suhosin-Patch mod_ssl/2.0.54 OpenSSL/0.9.7e mod_perl/1.999.21 Perl/v5.8.4
Last-Modified: Fri, 04 Jul 2008 10:38:17 GMT
ETag: "c0078e1-134-52d7d840"
Accept-Ranges: bytes
Content-Length: 308
Content-Type: application/zip
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: getting body (3)
Wed May 13 18:50:56 2009 (12146): DEBUG chunk header - '0
'
Wed May 13 18:50:56 2009 (12146): DEBUG got '0
'Wed May 13 18:50:56 2009 (12146): DEBUG skip line - '
'Wed May 13 18:50:56 2009 (12146): DEBUG http_read_chunk: final chunk, finalizing entity; recieved=0 <<<
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: finished entity
Wed May 13 18:50:56 2009 (12146): DEBUG url:[http://www.eicar.org/download/eicarcom2.zip], content-type: application/zip, size=308, rule: application = [scan <= 1048576 > pass] -> continue checking
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: send that we want continue
Wed May 13 18:50:56 2009 (12146): DEBUG chunk header - '134
'Wed May 13 18:50:56 2009 (12146): DEBUG chunk header - '
Wed May 13 18:50:56 2009 (12146): DEBUG chunk header - '0
Wed May 13 18:50:56 2009 (12146): DEBUG http_read_chunk: final chunk, finalizing entity; recieved=308 <<<
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: finished entity
Wed May 13 18:50:56 2009 (12146): DEBUG icap_dump_entities: not start preview mode preview_size=-1
Wed May 13 18:50:56 2009 (12146): DEBUG go out from icap_dump_entities with res=4000
Wed May 13 18:50:56 2009 (12146): DEBUG icap_hold_entities: next entity offset == 0; ennode->type=req-hdr
Wed May 13 18:50:56 2009 (12146): DEBUG icap_hold_entities: next entity offset == 0; ennode->type=res-hdr
Wed May 13 18:50:56 2009 (12146): DEBUG TRY connect to host=/var/drweb/run/.daemon serv= type=local
Wed May 13 18:50:56 2009 (12146): DEBUG Connection ok
Wed May 13 18:50:56 2009 (12146): DEBUG drw_scan_file: url to be scanned (send only path) - http://www.eicar.org/download/eicarcom2.zip
Wed May 13 18:50:56 2009 (12146): DEBUG drw_scan_file: response code - 0x20
Wed May 13 18:50:56 2009 (12146): WARN url:[http://www.eicar.org/download/eicarcom2.zip], client_ip:[192.168.1.7], code=0x20, size=1k, viruses:[EICAR Test File (NOT a Virus!)]
Wed May 13 18:50:56 2009 (12146): DEBUG drw_scan_file: log >>> [11513] /var/drweb/cache/res-body12146-QIx4yI - archive ZIP
Wed May 13 18:50:56 2009 (12146): DEBUG drw_scan_file: log >>> [11513] >/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip - archive ZIP
Wed May 13 18:50:56 2009 (12146): DEBUG drw_scan_file: log >>> [11513] >>/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip/eicar.com infected with EICAR Test File (NOT a Virus!)
Wed May 13 18:50:56 2009 (12146): DEBUG TRY connect to host=/var/drweb/run/.daemon serv= type=local
Wed May 13 18:50:56 2009 (12146): DEBUG Connection ok
Wed May 13 18:50:56 2009 (12146): DEBUG drw_get_info:
Dr.Web ® daemon for Linux v4.44.1 (4.44.1.0811070)
Copyright © Igor Daniloff, 1992-2008
Engine version: 4.44.0.9170 <API:2.2>
Wed May 13 18:50:56 2009 (12146): DEBUG Find macros $URL$Wed May 13 18:50:56 2009 (12146): DEBUG Find macros $DAEMON_REPORT$Wed May 13 18:50:56 2009 (12146): DEBUG parse_template: 3 strings in report
Wed May 13 18:50:56 2009 (12146): DEBUG [11513] /var/drweb/cache/res-body12146-QIx4yI - archive ZIP
Wed May 13 18:50:56 2009 (12146): DEBUG [11513] >/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip - archive ZIP
Wed May 13 18:50:56 2009 (12146): DEBUG [11513] >>/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip/eicar.com infected with EICAR Test File (NOT a Virus!)
Wed May 13 18:50:56 2009 (12146): WARN file have virus and can not be cured: report
Wed May 13 18:50:56 2009 (12146): DEBUG icap_hold_entities: next entity offset == 114; ennode->type=res-body
Wed May 13 18:50:56 2009 (12146): DEBUG For str [[11513] >>/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip/eicar.com infected with EICAR Test File (NOT a Virus!)
]: file [/var/drweb/cache/res-body12146-QIx4yI/eicar_com.zip/eicar.com] code=66 opt=[EICAR Test File (NOT a Virus!)]
Wed May 13 18:50:56 2009 (12146): DEBUG icap_handle: send header>>>
[ICAP/1.0 200 OK
Encapsulated: res-hdr=0, res-body=114
X-Virus-ID: EICAR Test File (NOT a Virus!)
X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test File (NOT a Virus!);
X-Violations-Found: 1
eicarcom2.zip/eicar_com.zip/eicar.com
EICAR Test File (NOT a Virus!)
20
0
X-Response-Info: Report
ISTAG: "drweb-icapd4.44=406627"
Wed May 13 18:50:56 2009 (12146): DEBUG icap_send_entities: sending res-hdr
Wed May 13 18:50:56 2009 (12146): DEBUG icap_send_entities: dump header (size = 114):
[HTTP/1.1 200 OK
Via: Dr.Web ® icapd
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 1230
Wed May 13 18:50:56 2009 (12146): DEBUG icap_send_entities: sending res-body (size=1230; fd=7)
Wed May 13 18:50:56 2009 (12146): DEBUG http_write_chunk: success take 1490 memory!
Wed May 13 18:50:56 2009 (12146): DEBUG http_write_chunk: got 1230 bytes from file
Wed May 13 18:50:56 2009 (12146): DEBUG http_write_chunk: send next chunk; send=1490
Wed May 13 18:50:56 2009 (12146): DEBUG icap_send_entities: send chunk chain by size = 1230 >>>>>>>>>>>>
Wed May 13 18:50:56 2009 (12146): DEBUG Request handled
Wed May 13 18:50:56 2009 (12146): DEBUG Going for infinitely waiting for 7 (7/4) descriptor...Wed May 13 18:51:12 2009 (12130): INFO Dr.Web ® icapd shutdown
Wed May 13 18:51:12 2009 (12146): DEBUG parent close his descriptor (4) -> shutdown
#20
iplir
-
- Posters
- 13 Сообщений:
Newbie
Отправлено 13 Май 2009 - 15:59
сначало я запустил zip там нашел потом txt, он пропустил показал мне содержимое
Читают тему: 0
0 пользователей, 0 гостей, 0 скрытых
