opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

issues with remote icap virus scanner can lead to acceptance of infected files

Open jnweiger opened this issue 1 month ago • 1 comments

Describe the bug

I'v set up a remote icap virus scanner using clamav and c-icap at av.jwqa.de The scanner receives and digests uploaded files, but there are 404 errors reported in antivirus.log while processing files (a different issue). In this situation the uploads go through, regardless if the scanner says infected:true or infected:false .

Steps to reproduce

  1. Setup docker clamav+c-icap at a remote instance
  2. connect this instance with opencloud using https://docs.opencloud.eu/docs/dev/server/services/antivirus
  3. download some test files from https://www.eicar.org/download-anti-malware-testfile/
  4. open the web UI, upload eicar.com.txt
  5. The file gets sent to the virus scanner, gets detected correctly, but is nevertheless immediately available in the web UI. BAD.

Expected behavior

When there are errors connecting the virus scanner, this should be prominently shown and uploads should fail.

Actual behavior

The upload passes, leading to the false impression, the file was clean. BAD

Setup

export POSTPROCESSING_LOG_LEVEL=trace # panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace export POSTPROCESSING_LOG_FILE=$OC_LOGDIR/postprocessing.log export POSTPROCESSING_STORE=memory # memory(default), redis-sentinel, nats-js-kv, noop export POSTPROCESSING_STEPS=virusscan # virusscan, delay (requires antivirus service enabled) export POSTPROCESSING_MAX_RETRIES=5 export POSTPROCESSING_RETRY_BACKOFF_DURATION=10s # needs the s! export STORAGE_USERS_DATA_GATEWAY_URL="https://oc.jwqa.de:9200/data"

export OC_ADD_RUN_SERVICES=antivirus

export ANTIVIRUS_WORKERS=1 export ANTIVIRUS_SCANNER_TYPE=icap export ANTIVIRUS_MAX_SCAN_SIZE=100MB export ANTIVIRUS_INFECTED_FILE_HANDLING=abort export ANTIVIRUS_LOG_FILE=$OC_LOGDIR/antivirus.log export ANTIVIRUS_LOG_LEVEL=trace export ANTIVIRUS_ICAP_SCAN_TIMEOUT=120s export ANTIVIRUS_ICAP_URL=icap://$icap_host:$icap_port export ANTIVIRUS_MAX_SCAN_SIZE_MODE=partial

Logs:

icap-issues.txt

jnweiger avatar Nov 29 '25 10:11 jnweiger

Not reproducable. Thanks to @aduffeck and @fschade for demonstrating correct behavior in the error cases. Today, the infected file was never made available. I have to revisit my setup.

jnweiger avatar Dec 01 '25 10:12 jnweiger

Closing after researching.

micbar avatar Dec 02 '25 16:12 micbar