AV Offload

UTM AV Offload via ICAP

Offloading antivirus on UTM units using ICAP protocol. Sample config for ClamAV and C-ICAP server


Pros

    AV scanning outside UTM platform - higher performance
    Ability to scan with multiple AV engines
    Scan using more signatures
    High file size scan limit
    AV engine extras: cloud scan, heuristic etc

Cons

    Prise - per user license (use clamav)
    Works with HTTP only
    Increase of local network traffic (need to send files to icap server)
    AV server can report less

Encountered Problems

    Fortinet - Eset: Moved permanently, no follow - need to refresh page

    Fortinet - Fsecure: Can't download large files
    Fortinet - Fsecure: Weak reporting

    Fortinet - ClamAV + c-icap: Weak reporting


C-icap and ClamAV Config


Install

apt-get install clamav
apt-get install c-icap
apt-get install libclamunrar6 # RAR support
freshclam #update


/etc/c-icap.conf


#Service url_check_module srv_url_check.so #disable url check module

acl gw src 192.168.1.1 # allow access from your proxy
icap access allow gw

# The Maximum object to be scanned. #customize your settings , see also calmd.conf
srv_clamav.MaxObjectSize 50M
#Sets the maximal archived file size. Set it to 0 to disable it.
srv_clamav.ClamAvMaxFileSizeInArchive 100M
#The maximal recursion level.Set it to 0 to disable it.
srv_clamav.ClamAvMaxRecLevel 5


Ideas

    Use with HTTP Cache server to achieve high performance. Scan only new files (not in cache). See details here
    Test your configuration here