Do your users use the Cortado app to access your network drives? Do you use Cortado virtual data rooms to share files with external users? Then in this How To we’ll show you how to incorporate an ICAP server to elevate the security level of your IT environment, so that no malicious files make their way onto your file server.
Aim
The aim is to install an ICAP server, which is a sensible accompaniment to the Cortado server. The ICAP server is based on the Internet Content Adaptation Protocol (ICAP). This is a protocol for simplifying content routing for HTTP, HTTPS and FTP-based services. This How To explains the installation and configuration options.
Implementation
The ICAP server will be installed with a virus scanner and proxy on the Debian GNU/Linux operating system. Regarding hardware, you should start with 2 cores and 4 GB RAM.
Installing the ICAP server
- Connect to the Linux server on which you want to install your ICAP server.
- Install the HTTP proxy (squid3) first.
Sudo apt install squid3- Go to the Squid3 configuration file and comment out the following lines, adapting them as required, and then save the configuration again.
....icap_enable on....icap_send_client_ip on....icap_send_client_username on....icap_client_username_encode off....icap_client_username_header X-Authenticated-User....icap_preview_enable on....icap_preview_size 1024....icap_service service_avi_req reqmod_precache....icap://localhost:1344/squidclamav bypass=off....adaptation_access service_avi_req allow all....icap_service service_avi_resp respmod_precache....icap://localhost:1344/squidclamav bypass=on....adaptation_access service_avi_resp allow all
- Now install c-icap, the actual ICAP server that will later work together with Squid3 and the virus scanner ClamAV.
sudo apt install c-icap- Next, install a library, which will be needed to set up squidclamav.
apt install libicapapi-dev- Then install ClamAV.
sudo apt install clamav clamav-daemon- Now install make, to compile the source of SquidClamAv.
apt-get install build-essential- Now install the most recent version of SquidClamav from Sourceforge. In the following example, the current version 6.16 is used. If you use a different version, then please change the version number in the following commands:
wget https://downloads.sourceforge.net/project/squidclamav/squidclamav/6.16/squidclamav-6.16.tar.gz# tar xvfz squidclamav-6.16.tar.gz# cd squidclamav-6.16./configure –-with-c-icap=/etc/c-icapmakemake install
- Next, edit two configuration files, then the ICAP server is ready for service.
- Add the following under /etc/c-icap/c-icap.conf in Services:
Service squidclamav squidclamav.so- Then, with maxsize under /etc/c-icap/squidclamav.conf, set the file size of files up to which the virus scanner should be fed to avoid performance problems, or keep the default setting (Maxsize 5000000).
Configuration steps on the Cortado server
- Now connect the ICAP server with the Cortado server, so that all future uploads will first be scanned by the ICAP server, before they are allowed to be written.
- Log in to the Cortado server (Windows machine) with the CortadoService account with which the Cortado installation was carried out. Open the registry there and navigate to:
HKEY_LOCAL_MASCHINE>SOFTWARE>ThinPrint>TPPSrv
Add the following keys:
| Name | Type | Data |
| IcapUriFilterUpload | STRING | Icap://<address of the ICAP server>:1344/squidclamav |
| IcapAllow204 | REG_QWORD | 1 |
| IcapPreview | REG_QWORD | 0 |
- Then restart IIS and Cortado Services. You can also use the Cortado Log Manager for this.
Function test
- Download an EICAR test virus.
- Upload the test virus into the web app.
- The file will then appear in the web app. However, it is an already known display error. Click on F5 to refresh the browser.
- The file with the test virus will not have been uploaded to the server.
- You should find a corresponding entry on the ICAP server under /var/log/c-icap/server.log. Example: Thu Sep 20 13:17:40 2018, 28936/3040893760, squidclamav.c(685) squidclamav_end_of_data_handler: Thu Sep 20 13:17:40 2018, 28936/3040893760, DEBUG Virus found, sending redirection header