Nimbostratus
AltostratusHi,
we use ICAP, too. And you are right, there is no way to set a dedicated blocking page for a "virus found" violation.
In my opinion, it has a good site, too. If it is a free webpage, without user authentication, and you have a dedicated response page for virus found detection, a user could test different viruses until he found one, which is going through on a easy way. If you don't have this blocking page, it is a little bit in the dark, why the request is blocked.
Too your options:
1. Here you have the problem, that any other violation raise the same blocking page. So if it is a form, where the user set an invalid parameter and an attack signature hit and you respond with a virus found blocking page, he will be confused.
2. I tried something like that in the past, but didn't get it working. I think, it isn't possible to set another response page, here. Perhaps, you could set an irule value here and check this value at HTTP_RESPONSE event. But if I understand the wiki correctly, the event HTTP_RESPONSE isn't raised by a locally generated event.
It isn't possible to get the violation data down to the web server, because it is blocked. The only way would be, to let it through (not blocking).
A possible solution could be:
remove blocking setting for virus detection
remove the file, if there is a virus detected, and set a http header or replace the file by a dummy string
programming the web page to do something, if the header or the dummy string is found --> redirect to a virus blocking page
If you found a solution, I would be happy :-)
regards