Versions Compared

Old Version 1

changes.mady.by.user Stonebranch

Saved on

compared with

New Version 2

changes.mady.by.user Olivier Michaut

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Step 1

From the UDMG navigation pane, select Management > Rules. The Rule list displays.

Step 2

select a rule or create a new one.

The Rule Details displays.

Step 3

Click the Post-tasks tab on the Rule detail panel

  • Edit the form to add an ICAP task and set the parameters for the ICAP server, see below for an example.

Step 4

Click Save and Confirm.

Step 5

The rule is updated to include the ICAP task as part of the UDMG file transfer workflow.

The task tab shows a green dot to indicate that a task is configured.

Step 6

Proceed with attempting to transfer the EICAR Anti-Virus Test File.

Step 7

After the file upload, it is transferred to the ICAP antivirus server during the post-task processing and stops in ERROR status. The Error Message indicates that an infection is found.

Image RemovedImage Added

If not infection was found by the ICAP antivirus server, then the transfer would complete with a successful status

Step 8

The infection error details can be forwarded to UAC as a universal event, see Universal Event Integration, and further corrective actions can be triggered by the Controller.

Step 9

The scanning details from the interrogation to the ICAP antivirus server are kept as transfer metadata with "udmg_icap" prefix. In particular the X-headers show the type of infection as reported by the server.

They can be displayed, for example here with the command line interface using the ‘transfer get’ command.

In particular the X-headers show the type of infection as reported by the server.

Panel
Code Block
$ udmg-client transfer get 1356
● Transfer 1356 (receive as server) [ERROR]
    Remote ID:         16191062779824701441765696868924260352
    Protocol:          sftp
    Rule:              Rec1stonebranch-sftp-01_receive
    Requester:         user
    Requested:         sftp_server_with_full_pathstonebranch-sftp-01
    Local filepath:    /tmp/sftp_server_with_root/rec1_dir/eicar.com-3/home/udmg/udmg-server/data/data/sftp-01/in/eicar-com.zip
    Remote filepath:   /eicar-com.com-3zip
    File size:         68184
    Start date:        20232024-01-27 2203-07T11:11:53:12.865894265317Z
+0000 UTC     End date:          N/A
    Step:              StepPostTasks
    Bytes transferred: 68184
    Error code:        TeExternalOperation
    Error message:     Post-tasks failed: [1/1] Task ICAP @ Rec1stonebranch-sftp-01_receive POST[0]: error file infected detected
    Transfer values: info:
      - udmg_file_computed_extension: .zip
      - udmg_file_computed_mimetype: application/zip
      - udmg_icap_Connection: keep-alive
      - udmg_icap_Encapsulated: res-hdr=0, res-body=108
      - udmg_icap_Istag: CI0001-66wOY91q7DqWWdCBj7SFEgAA
      - udmg_icap_Server: C-ICAP/0.5.3
      - udmg_icap_Status: OK
      - udmg_icap_Statuscode: 200
      - udmg_icap_X-Infection-Found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;
      - udmg_icap_X-Violations-Found: 1
      - udmg_session_id: 3D3D824887D503B2AA11362490F2301FEC3A64803148C2F48CC7546CD5CE32B8
      - udmg_xfer_log: /var/opt/udmg/logs/56.log

Or on the Info tab of the transfer detais on UDMG Admin UI.

Image Added

The transfer log also shows an error with an infection detection.

Image Added



Panel
titleExample of rule post-tasks configuration for ICAP
[
    {
        "type": "ICAP",
        "args": {
            "path": "#TRUEFULLPATH#",
            "hostname": "icap-server",
            "serviceName": "avscan",
            "port": "1344"
        }
    }
]