baekalfen / icap-avscan Goto Github PK

Can we use java.nio.channels.SocketChannel, java.net.InetSocketAddress instead of java.net.Socket and import java.net.InetAddress for ICAP connection , so that we can make non-blocking IO connection and calls to send file to ICAP server for virus scanning.

Do you suggest any examples on how to make this work with java.nio.channels.SocketChannel and respective java.nio like java.nio.ByteBuffer rather than using java.io.DataOutputStream, BufferedReader and InputStreamReader etc., ?

In code of

But method InputStream.read() may not read full buffer. This method returns the total number of bytes read into the buffer, and this value should be used in next lines. For send string and as parameter for sendBytes() call.
In current state this method is sending additional bytes from buffer which were not filled by read() call.

Hi,
I am sorry to post this question as an issue but, because here are the experts on this subject I thought I might get a good answer to my question.
I am trying to test my service that uses this code. I am able to send a EICAR test file through the service but ICAP Server is not considering it as "virus". The scan file method is always returning true(meaning the file is good). I am just trying to prove that my code can detect the virus file. Any input on testing this is appreciated. Thanks in Advance!

I was testing this code using Sophos. I keep on getting 202 for EICAR test files as well. How do I know if there is a virus in the file or not?

hi ,
i am trying to connect the an icap server that scan files for dlp but not for AV scan.
its seems like everything is ok , the response look like ok .
but still we think that is not scan the file for dlp because the file should be bloke.
i want to know if the C# example here supporting an dlp Request ?
here is my Request:
byte[] requestBuffer = Encoding.ASCII.GetBytes(
"REQMOD icap://" + serverIP + "/" + icapService + " ICAP/" + VERSION + "\r\n"
+ "Host: " + serverIP + "\r\n"
+ "User-Agent: " + USERAGENT + "\r\n"
+ "Allow: 204\r\n"
+ "Preview: " + previewSize + "\r\n"
+ "Encapsulated: res-hdr=0, res-body=" + resBody.Length + "\r\n"
+ "\r\n"
+ resBody
+ previewSize.ToString("X") + "\r\n");
thanks for any help

I'm trying this library with Symantec Cloud services and for files that are clean, it's working fine. But for files that are infected, getting the following exception:

Could not scan file <filename>: Unrecognized or no status code in response header.

While digging deep, I found that if a file is infected Symantec will be returning 201 status code with the scan results.

For example, here's a sample response:

ICAP/1.0 201 Created
ISTag: "2E2FFEB048A3C546849453DD9DD868C2"
Date: Wed Aug 28 12:33:38 2019 GMT
Service: Symantec Protection Engine/8.0.0.48
Service-ID: Respmod AV Scan
X-Infection-Found: Type=0; Resolution=1; Threat=Trojan.Gen.2;
X-Violations-Found: 1
	7bed9479-e7c0-42b4-a3be-279cd0ece0f2-M-Mail1549367154632-ed057ecd-0d9f-4f08-85b2-f3454e58ed07-0.eml/Information.doc
	Trojan.Gen.2
	41129
	2
X-Outer-Container-Is-Mime: 1
Encapsulated: res-hdr=0, res-body=114

And it looks like we're missing some implementations here? (since it seems to be a standard as per https://onlinehelp.opswat.com/corev3/2._ICAP_response_headers.html). Not demanding, just want to know your viewpoint on this.

I have c-icap installed and Try to scan a file using ICAP-avscan. I get the following error.

The below stack trace uses exactly your same class file ICAP, though only the package name is changed. Even VirusScanTest is exactly same as your file Test File.

java.net.SocketException: Broken pipe
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
at java.net.SocketOutputStream.write(SocketOutputStream.java:132)
at java.io.DataOutputStream.write(DataOutputStream.java:88)
at com.is.ICAP.sendBytes(ICAP.java:339)
at com.is.ICAP.scanFile(ICAP.java:156)
at com.is.VirusScanTest.main(VirusScanTest.java:18)

Please let me know if I am doing anything wrong.

Hi,

When trying to implement with a McAfee server, I am recieving error code 418 which I believe means my request is missing a required request header.
I read the issue raised by sc06 and followed their advice (#8 (comment)) modifying the request as follows:

ESPMOD icap://<I.P.>/RESPMOD ICAP/1.0
Host: <I.P.>
X-Client-Abandon-Supported: 1
Preview: 30
X-Scan-Progress-Interval: 10
Allow: 204
Encapsulated: res-hdr=0, res-body=26

Content-Length: 572939

1e

I dont understand how sc06 created a request header.
Is the following from their comment the request header?:

"GET /C:\TestFiles\test1.txt HTTP/1.1
Host: icap.health.check"

Why would that need to be sent? Do I need to make the file available on that host?
Please forgive my lack of knowledge around the protocol.

Thanks very much for your help.

Charlie.

Hi All,

This is more of a question rather than an issue. We have a use case where we are calling the ICAP Server from a Java Microservice. We are referring the Java Client code sample provided at https://github.com/Baekalfen/ICAP-avscan/tree/master/Java/ICAP/src/icap_samplecode

We observed that the getOptions call is taking a lot of time (around 10 secs minimum) and the actual scanFile Http call just takes milliseconds. Given we are not firing our requests from a browser and CORS is not in picture, can we skip the getOptions call?

I run the ICAPTester on my server but it thrrows an exception
Unhandled Exception: ICAPNameSpace.ICAP+ICAPException: Error in getHeader() method
at ICAPNameSpace.ICAP.getHeader(String terminator) in C:\Users\Dario\Desktop\ICAP-avscan-master\C-Sharp\ICAP\ICAP.cs:line 271
at ICAPNameSpace.ICAP.getOptions() in C:\Users\Dario\Desktop\ICAP-avscan-master\C-Sharp\ICAP\ICAP.cs:line 234
at ICAPNameSpace.ICAP..ctor(String serverIP, Int32 port, String icapService, Int32 previewSize) in C:\Users\Dario\Desktop\ICAP-avscan-master\C-Sharp\ICAP\ICAP.cs:line 68
at ConsoleApplication1.Program.Main(String[] args) in C:\Users\Dario\Desktop\ICAP-avscan-master\C-Sharp\ICAPTester\Program.cs:line 17

while((offset < STD_RECIEVE_LENGTH) && ((n = in.read(buffer, offset, 1)) != -1)) { // first part is to secure against DOS
			offset += n;
			//log.info("inside while");
			if (offset>endofheader.length+13){ // 13 is the smallest possible message "ICAP/1.0 XXX "
				//log.info("offset  "+offset);
				byte[] lastBytes = Arrays.copyOfRange(buffer, offset-endofheader.length, offset);
				log.info("lastBytes"+lastBytes.length);
				if (Arrays.equals(endofheader,lastBytes)){
					return new String(buffer,0,offset, StandardCharsetsUTF8);
				}
			}
		}
		throw new ICAPException("Error in getHeader() method");

if condition not stisfied
here i am getting last byte length 5 and it comes to exception block

i don´t speak english

Hi, first thanks for share it
but i can´t run this, i send a simple text but doesn´t occur until the icap 408 error.

i attach wireshark captures.

Thanks !
Regars ;)

Does this detect virus in macros and scripts in MS documents?

I am using the code as a rest web service and trying to upload the file as multipart .I have converted the file to an input stream and sent it to the scanfile method but when the debugger reaches to getHeader method I get in.read method result -1 and it throws ICAPException...any help will be appreciated.
Let me know if you need more details

There is a poor performance for upload (for Java version).
You write data (in sendString) directly into Socket's output stream without bufferization. It's a bad practice.
I've tested it on current implementation (without bufferization) a file (2Mb) had been uploaded in 1min, with bufferization it took 3sec.

I am using this ICAP client to scan the uploaded files. I receive the options as below--
ICAP/1.0 200 OK
Methods: REQMOD, RESPMOD
Options-TTL: ****
Encapsulated: null-body=0
Max-Connections: ***
Preview: 30
Service: McAfee Web Gateway 7.7.2 build 25114
ISTag: "00000000-00000000-00000000"
Allow: 204

Then when I try to send a file... I get 418 status code in response. the below is the request..
RESPMOD icap://.../RESPMOD ICAP/1.0
Host: ...**
User-Agent: IT-Kartellet ICAP Client/1.1
Allow: 204
Preview: 30
Encapsulated: res-hdr=0, res-body=22

Content-Length: 52

1e

Could you please give me some pointers.. Appreciate you help! Thanks

Hello,
i have one question, why you in Java Client return false on return code 200 in the Line 176. The Snippets:
switch (status){
case 100: break; //Continue transfer
case 200: return false;
case 204: return true;
case 404: throw new ICAPException("404: ICAP Service not found");
default: throw new ICAPException("Server returned unknown status code:"+status);
}

Thanks a lot

I see a LICENSE file in the Java section of the source tree but nothing in the csharp section. Could you clarify that the MIT license applies to the whole repo? Thanks much.

I was just wondering what must be changed in the example code to switch to an encrypted communication between the ICAP client and the server.

Serverside has configured the port 11344 to accept encrypted messages.

What else has to be changed beside the port to establish the connection?

I will be thankful for any hint.

when run sendString(requestBuffer) code in the scanFile method,I find that the thread is blocking.But i add thread.sleep(50) ,it run normally.What caused it? the code or ICAP server?