Viewing all changes in revision 642.
- Committer: chtsanti
- Date: 2012-05-04 13:45:08 UTC
- Revision ID: svn-v4:a5cfe682-fa50-0410-8a04-e816b4a88288:c-icap-server/trunk:851
Add option in configure script to enable/disable profiles in virus_scan service
Currently enabling profiles in virus_scan maybe open a security hole:
- Assume a profile which disables virus scanning for users in group A,
and does full virus scanning for other users of group B
- A user from group A downloads an infected with virus HTTP object
and this object stored in http cache
- When a user from group B accessing the same URL, the http cache serves the
infected object from cache.
The profiles can work well with caches where the after cache respmod ICAP
vectoring point is implemented. Squid does not implemente this vectoring point.
Also the profiles can be very usefull to select sites which are safe and
must not scanned (using destination based acls)
TODO:
- modify HTTP headers of the HTTP objects to disable caching on HTTP cache if
the objects are not scanned for viruses.
Currently enabling profiles in virus_scan maybe open a security hole:
- Assume a profile which disables virus scanning for users in group A,
and does full virus scanning for other users of group B
- A user from group A downloads an infected with virus HTTP object
and this object stored in http cache
- When a user from group B accessing the same URL, the http cache serves the
infected object from cache.
The profiles can work well with caches where the after cache respmod ICAP
vectoring point is implemented. Squid does not implemente this vectoring point.
Also the profiles can be very usefull to select sites which are safe and
must not scanned (using destination based acls)
TODO:
- modify HTTP headers of the HTTP objects to disable caching on HTTP cache if
the objects are not scanned for viruses.
expand all
collapse all
added
removed
