files_antivirus icon indicating copy to clipboard operation
files_antivirus copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

ICAP-Mode doesn't work with ESET Server Security for Linux

Open Bastix1686 opened this issue 1 year ago • 2 comments

ICAP Virusscan against ESET Server Security for Linux works with "c-icap-client":

# /usr/local/c-icap/bin/c-icap-client -i 172.16.17.51 -s scan -f eicarcom2.zip -v
ICAP server:172.16.17.51, ip:172.16.17.51, port:1344


ICAP HEADERS:
	ICAP/1.0 200 OK
	ISTag: "970d18076ed48d79-1701775538"
	Encapsulated: res-hdr=0, res-body=70
	X-Infection-Found: Type=0; Resolution=0; Threat=Eicar;
	X-Virus-ID: Testdatei
	X-Response-Info: Blocked
	X-Response-Description: Gelöscht

RESPMOD HEADERS:
	HTTP/1.1 403 Forbidden
	Content-Type: text/html
	Content-Length: 0

Same Configuration in Antivirus for Files shows "Invalid response from ICAP server"

nc_antivirus_icap

Bastix1686 avatar Dec 05 '23 13:12 Bastix1686

In NC 28.0.3 ESET Server Security is still not working as ICAP Server. Is there any update to this bug? Could I help with some additional informations?

64738648732 avatar Mar 19 '24 12:03 64738648732

Have a check here, I think that this will answer your question: https://forum.eset.com/topic/31081-icap-server-problems/ https://help.eset.com/efs/8.1/en-US/remote-scanning.html

In essence, the answer you're getting is a "Product Management" commercial choice NOT to allow what you want according to my readings.

obuno avatar Apr 06 '24 13:04 obuno

5.5.1 tweaked the ICAP client behavior a bit, can you test if this is still an issue with that version of the app?

icewind1991 avatar May 21 '24 13:05 icewind1991

Tested with ESET 10.3.3.0:

occ files_antivirus:test --debug Scanning regular text: ICAP Request headers: RESPMOD icap://127.0.0.1/avscan ICAP/1.0 Allow: 204 Host: 127.0.0.1 User-Agent: NC-ICAP-CLIENT/0.5.0 Connection: close Encapsulated: req-hdr=0, res-hdr=42, res-body=80

GET /foo.txt HTTP/1.0 Host: nextcloud

HTTP/1.0 200 OK Content-Length: 1

ICAP Response: ICAP/1.0 204 No modification Encapsulated: null-body=0 ISTag: "b9eb4f031598bb0b-1716440776"

âś“ Scanning EICAR test file: ICAP Request headers: RESPMOD icap://127.0.0.1/avscan ICAP/1.0 Allow: 204 Host: 127.0.0.1 User-Agent: NC-ICAP-CLIENT/0.5.0 Connection: close Encapsulated: req-hdr=0, res-hdr=55, res-body=93

GET /test-virus-eicar.txt HTTP/1.0 Host: nextcloud

HTTP/1.0 200 OK Content-Length: 1

ICAP Response: ICAP/1.0 200 OK ISTag: "b9eb4f031598bb0b-1716440776" Encapsulated: res-hdr=0, res-body=70 X-Infection-Found: Type=0; Resolution=0; Threat=Eicar; X-Virus-ID: Testdatei X-Response-Info: Blocked X-Response-Description: Durch Löschen gesäubert

HTTP/1.1 403 Forbidden Content-Type: text/html Content-Length: 0

0

❌ file not detected

michag86 avatar May 23 '24 13:05 michag86

Can you see https://github.com/nextcloud/files_antivirus/pull/336 solves the issue for you?

icewind1991 avatar May 23 '24 14:05 icewind1991

Can you see #336 solves the issue for you?

I've tested it with version 5.5.2.

I will test this tomorrow.

michag86 avatar May 23 '24 16:05 michag86

The Changes from #336 seem to work:

# time occ files_antivirus:test | ts '[%Y-%m-%d %H:%M:%S]'
[2024-05-24 06:15:32] Scanning regular text: âś“
[2024-05-24 06:15:32] Scanning EICAR test file: âś“
[2024-05-24 06:15:32] Scanning modified EICAR test file: âś“

real    0m0,588s
user    0m0,046s
sys     0m0,011s

But I noticed that the debug output is very slow:

# time occ files_antivirus:test --debug | ts '[%Y-%m-%d %H:%M:%S]'
[2024-05-24 06:15:47] Scanning regular text:
[2024-05-24 06:15:47] ICAP Request headers:
[2024-05-24 06:15:47] RESPMOD icap://127.0.0.1/avscan ICAP/1.0
[2024-05-24 06:15:47] Allow: 204
[2024-05-24 06:15:47] Host: 127.0.0.1
[2024-05-24 06:15:47] User-Agent: NC-ICAP-CLIENT/0.5.0
[2024-05-24 06:15:47] Connection: close
[2024-05-24 06:15:47] Encapsulated: req-hdr=0, res-hdr=42, res-body=80
[2024-05-24 06:15:47]
[2024-05-24 06:15:47] GET /foo.txt HTTP/1.0
[2024-05-24 06:15:47] Host: nextcloud
[2024-05-24 06:15:47]
[2024-05-24 06:15:47] HTTP/1.0 200 OK
[2024-05-24 06:15:47] Content-Length: 1
[2024-05-24 06:15:47]
[2024-05-24 06:15:47]
[2024-05-24 06:16:47] ICAP Response:
[2024-05-24 06:16:47] ICAP/1.0 204 No modification
[2024-05-24 06:16:47] Encapsulated: null-body=0
[2024-05-24 06:16:47] ISTag: "b9eb4f031598bb0b-1716508244"
[2024-05-24 06:16:47]
[2024-05-24 06:16:47]
[2024-05-24 06:16:47] âś“
[2024-05-24 06:16:47] Scanning EICAR test file:
[2024-05-24 06:16:47] ICAP Request headers:
[2024-05-24 06:16:47] RESPMOD icap://127.0.0.1/avscan ICAP/1.0
[2024-05-24 06:16:47] Allow: 204
[2024-05-24 06:16:47] Host: 127.0.0.1
[2024-05-24 06:16:47] User-Agent: NC-ICAP-CLIENT/0.5.0
[2024-05-24 06:16:47] Connection: close
[2024-05-24 06:16:47] Encapsulated: req-hdr=0, res-hdr=55, res-body=93
[2024-05-24 06:16:47]
[2024-05-24 06:16:47] GET /test-virus-eicar.txt HTTP/1.0
[2024-05-24 06:16:47] Host: nextcloud
[2024-05-24 06:16:47]
[2024-05-24 06:16:47] HTTP/1.0 200 OK
[2024-05-24 06:16:47] Content-Length: 1
[2024-05-24 06:16:47]
[2024-05-24 06:16:47]
[2024-05-24 06:17:47] ICAP Response:
[2024-05-24 06:17:47] ICAP/1.0 200 OK
[2024-05-24 06:17:47] ISTag: "b9eb4f031598bb0b-1716508244"
[2024-05-24 06:17:47] Encapsulated: res-hdr=0, res-body=70
[2024-05-24 06:17:47] X-Infection-Found: Type=0; Resolution=0; Threat=Eicar;
[2024-05-24 06:17:47] X-Virus-ID: Testdatei
[2024-05-24 06:17:47] X-Response-Info: Blocked
[2024-05-24 06:17:47] X-Response-Description: Durch Löschen gesäubert
[2024-05-24 06:17:47]
[2024-05-24 06:17:47] HTTP/1.1 403 Forbidden
[2024-05-24 06:17:47] Content-Type: text/html
[2024-05-24 06:17:47] Content-Length: 0
[2024-05-24 06:17:47]
[2024-05-24 06:17:47] 0
[2024-05-24 06:17:47]
[2024-05-24 06:17:47]
[2024-05-24 06:17:47]
[2024-05-24 06:17:47] âś“
[2024-05-24 06:17:47] Scanning modified EICAR test file:
[2024-05-24 06:17:47] ICAP Request headers:
[2024-05-24 06:17:47] RESPMOD icap://127.0.0.1/avscan ICAP/1.0
[2024-05-24 06:17:47] Allow: 204
[2024-05-24 06:17:47] Host: 127.0.0.1
[2024-05-24 06:17:47] User-Agent: NC-ICAP-CLIENT/0.5.0
[2024-05-24 06:17:47] Connection: close
[2024-05-24 06:17:47] Encapsulated: req-hdr=0, res-hdr=64, res-body=102
[2024-05-24 06:17:47]
[2024-05-24 06:17:47] GET /test-virus-eicar-modified.txt HTTP/1.0
[2024-05-24 06:17:47] Host: nextcloud
[2024-05-24 06:17:47]
[2024-05-24 06:17:47] HTTP/1.0 200 OK
[2024-05-24 06:17:47] Content-Length: 1
[2024-05-24 06:17:47]
[2024-05-24 06:17:47]
[2024-05-24 06:18:47] ICAP Response:
[2024-05-24 06:18:47] ICAP/1.0 200 OK
[2024-05-24 06:18:47] ISTag: "b9eb4f031598bb0b-1716508244"
[2024-05-24 06:18:47] Encapsulated: res-hdr=0, res-body=70
[2024-05-24 06:18:47] X-Infection-Found: Type=0; Resolution=0; Threat=Eicar;
[2024-05-24 06:18:47] X-Virus-ID: Testdatei
[2024-05-24 06:18:47] X-Response-Info: Blocked
[2024-05-24 06:18:47] X-Response-Description: Durch Löschen gesäubert
[2024-05-24 06:18:47]
[2024-05-24 06:18:47] HTTP/1.1 403 Forbidden
[2024-05-24 06:18:47] Content-Type: text/html
[2024-05-24 06:18:47] Content-Length: 0
[2024-05-24 06:18:47]
[2024-05-24 06:18:47] 0
[2024-05-24 06:18:47]
[2024-05-24 06:18:47]
[2024-05-24 06:18:47]
[2024-05-24 06:18:47] âś“

real    3m0,724s
user    0m0,057s
sys     0m0,018s

And the message for the detection on Upload now looks like this: Fehler beim Hochladen: Der Virus Type=0; Resolution=0; Threat=Eicar; wurde in der Datei gefunden. Das Hochladen kann nicht abgeschlossen werden.

michag86 avatar May 24 '24 04:05 michag86

Here are the relevant configurations:

# occ config:list files_antivirus
{
    "apps": {
        "files_antivirus": {
            "av_host": "127.0.0.1",
            "av_icap_mode": "respmod",
            "av_icap_request_service": "scan",
            "av_icap_response_header": "X-Infection-Found",
            "av_icap_tls": "0",
            "av_infected_action": "delete",
            "av_max_file_size": "-1",
            "av_mode": "icap",
            "av_port": "1344",
            "av_scan_first_bytes": "-1",
            "av_stream_max_length": "262144400",
[...]
        }
    }
}

av_icap_request_service can be anything. this does not makes any difference.

Maybe there could be a template added with Name ESET and this settings: "av_icap_mode": "respmod", "av_icap_request_service": "scan", "av_icap_response_header": "X-Infection-Found",

michag86 avatar May 24 '24 07:05 michag86

The occ files_antivirus:test looks good as written above, but I noticed, that there are errors in the nextcloud.log, when cron.php is running:

{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 532490 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 1056778 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 747686 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#115","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"fwrite(): Send of 5 bytes failed with errno=32 Broken pipe at /var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php#119","userAgent":"--","version":"28.0.5.2","data":{"app":"PHP"}}
{"reqId":"VfvQcoU5BarZTx4Qt0oF","level":3,"time":"2024-05-29T06:45:02+00:00","remoteAddr":"","user":"--","app":"core","method":"","url":"--","message":"Error while running background job (class: OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner, arguments: )","userAgent":"--","version":"28.0.5.2","exception":{"Exception":"TypeError","Message":"trim(): Argument #1 ($string) must be of type string, bool given","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/files_antivirus/lib/ICAP/ResponseParser.php","line":81,"function":"trim","args":[false]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/ICAP/ResponseParser.php","line":43,"function":"parseResHdr","class":"OCA\\Files_Antivirus\\ICAP\\ResponseParser","type":"->","args":[null,"null-body=0"]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/ICAP/ICAPRequest.php","line":132,"function":"read_response","class":"OCA\\Files_Antivirus\\ICAP\\ResponseParser","type":"->","args":[null]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/Scanner/ICAP.php","line":115,"function":"finish","class":"OCA\\Files_Antivirus\\ICAP\\ICAPRequest","type":"->","args":[]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/Scanner/ICAP.php","line":138,"function":"scanBuffer","class":"OCA\\Files_Antivirus\\Scanner\\ICAP","type":"->","args":[]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/Scanner/ScannerBase.php","line":99,"function":"shutdownScanner","class":"OCA\\Files_Antivirus\\Scanner\\ICAP","type":"->","args":[]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":282,"function":"scan","class":"OCA\\Files_Antivirus\\Scanner\\ScannerBase","type":"->","args":[["OCA\\Files_Antivirus\\Item"]]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":144,"function":"scanOneFile","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->","args":[["OC\\Files\\Node\\File"]]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":97,"function":"processFiles","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->","args":[["LimitIterator"]]},{"file":"/var/www/nextcloud/apps/files_antivirus/lib/BackgroundJob/BackgroundScanner.php","line":80,"function":"scan","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->","args":[100]},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/Job.php","line":81,"function":"run","class":"OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner","type":"->","args":[null]},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":102,"function":"start","class":"OCP\\BackgroundJob\\Job","type":"->","args":[["OC\\BackgroundJob\\JobList"]]},{"file":"/var/www/nextcloud/lib/public/BackgroundJob/TimedJob.php","line":92,"function":"start","class":"OCP\\BackgroundJob\\TimedJob","type":"->","args":[["OC\\BackgroundJob\\JobList"]]},{"file":"/var/www/nextcloud/cron.php","line":152,"function":"execute","class":"OCP\\BackgroundJob\\TimedJob","type":"->","args":[["OC\\BackgroundJob\\JobList"],["OC\\Log"]]}],"File":"/var/www/nextcloud/apps/files_antivirus/lib/ICAP/ResponseParser.php","Line":81,"message":"Error while running background job (class: OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner, arguments: )","exception":{},"CustomMessage":"Error while running background job (class: OCA\\Files_Antivirus\\BackgroundJob\\BackgroundScanner, arguments: )"}}

michag86 avatar May 29 '24 07:05 michag86

The fix has been released with 5.5.3. I'm a bit hesitant to add a configuration prefix for it since it implies a level of support that I'm not confident implying given the minor issues described here and my lack of ability to test things myself.

icewind1991 avatar May 29 '24 14:05 icewind1991

In general, the connection between nextcloud and eset works. In our environment, we have encountered the following problem. If files are uploaded that contain a space in the file name e.g. "abc 123.txt", the upload cannot be completed. I receive an error message in nextcloud and a corresponding entry in the eset log. Screenshots are attached. error_nextcloud_upload error_eset

salamander555 avatar Jun 20 '24 11:06 salamander555

Great project. The eset ICAP connection works with version 5.5.6. Thanks

salamander555 avatar Jul 03 '24 17:07 salamander555