Tutorial - ICAP Interface for Virus Scanning and Malware Detection

Owned by
Stonebranch
Last updated: Mar 07, 2024 by
Olivier Michaut
5 min read

In this tutorial, you will:

  • Create a rule task to send a file for antivirus scanning to an ICAP server.

  • Verify that an infected file is reported and blocked.

  • Access the scanning details for the file

Overview

The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-like protocol specified in RFC 3507. ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches.

ICAP integration is a common feature of MFT solutions to trigger an antivirus scan before sending a file or after receiving a file. The file can be forwarded to an ICAP server with the ICAP protocol. The ICAP server proceeds with the antivirus scan and reports back the result in the ICAP response message.


The ICAP integration has been tested with the c-icap server and follows the protocol standards.

Configuring UDMG to Send File to ICAP server


ICAP Processing Task

The UDMG ICAP task allows the exchange with a server complying with the RFC 3507 standard known as ICAP . It is used to transfer the contents of the file to an ICAP service via a RESPMOD command and to obtain validation of this file by the service (status 204 ).

The task can be configured for every transfer rule for which ICAP integration is required.

The table below shows the list of parameters that are accepted by the ICAP task. Please check for the values that are relevant to your setup with the ICAP antivirus server administrator.

Parameter

Description

path

The actual path of the file on the disk, use the substitution variable #TRUEFULLPATH# that will be replaced by the actual location of the file being transferred.

hostname

The hostname or IP address of the ICAP server, default to localhost

port

The port of the ICAP server, default to 1344

serviceName

The name of the ICAP service on the endpoint

timeout

The timeout while waiting for a response from the ICAP server, in seconds, default to 10s

retry

The number of time to retry after a connection's failure, default to 1

maxSize

The identifier of the partner who requested the transfer

receiveSize

Specifies the receive size to use, default to 65536 bytes

blockSize

Specifies the send size to use for chunk-encoding, default to 8192 bytes

ignoreNetworkError

Do not raise an error if the file cannot be sent to the ICAP server due to network issue or server not available. Default to false

ignoreTooBigFileError

Do not raise an error if the file is too big for scanning, bigger than maxSize. Default to false


Step 1

From the UDMG navigation pane, select Management > Rules. The Rule list displays.

Step 2

select a rule or create a new one.

The Rule Details displays.

Step 3

Click the Post-tasks tab on the Rule detail panel

  • Edit the form to add an ICAP task and set the parameters for the ICAP server, see below for an example.

Step 4

Click Save and Confirm.

Step 5

The rule is updated to include the ICAP task as part of the UDMG file transfer workflow.

The task tab shows a green dot to indicate that a task is configured.

Step 6

Proceed with attempting to transfer the EICAR Anti-Virus Test File.

Step 7

After the file upload, it is transferred to the ICAP antivirus server during the post-task processing and stops in ERROR status. The Error Message indicates that an infection is found.

If not infection was found by the ICAP antivirus server, then the transfer would complete with a successful status

Step 8

The infection error details can be forwarded to UAC as a universal event, see Universal Event Integration, and further corrective actions can be triggered by the Controller.

Step 9

The scanning details from the interrogation to the ICAP antivirus server are kept as transfer metadata with "udmg_icap" prefix. In particular the X-headers show the type of infection as reported by the server.

They can be displayed, for example here with the command line interface using the ‘transfer get’ command.

$ udmg-client transfer get 56
● Transfer 56 (receive as server) [ERROR]
    Remote ID:         1765696868924260352
    Protocol:          sftp
    Rule:              stonebranch-sftp-01_receive
    Requester:         user
    Requested:         stonebranch-sftp-01
    Local filepath:    /home/udmg/udmg-server/data/data/sftp-01/in/eicar-com.zip
    Remote filepath:   eicar-com.zip
    File size:         184
    Start date:        2024-03-07T11:11:53.265317Z
    End date:          N/A
    Step:              StepPostTasks
    Bytes transferred: 184
    Error code:        TeExternalOperation
    Error message:     Post-tasks failed: [1/1] Task ICAP @ stonebranch-sftp-01_receive POST[0]: error file infected detected
    Transfer info:
      - udmg_file_computed_extension: .zip
      - udmg_file_computed_mimetype: application/zip
      - udmg_icap_Connection: keep-alive
      - udmg_icap_Encapsulated: res-hdr=0, res-body=108
      - udmg_icap_Istag: CI0001-66wOY91q7DqWWdCBj7SFEgAA
      - udmg_icap_Server: C-ICAP/0.5.3
      - udmg_icap_Status: OK
      - udmg_icap_Statuscode: 200
      - udmg_icap_X-Infection-Found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1;
      - udmg_icap_X-Violations-Found: 1
      - udmg_session_id: 3D3D824887D503B2AA11362490F2301FEC3A64803148C2F48CC7546CD5CE32B8
      - udmg_xfer_log: /var/opt/udmg/logs/56.log

Or on the Info tab of the transfer details on UDMG Admin UI.

The transfer log also shows an error with an infection detection.


Example of rule post-tasks configuration for ICAP
[
    {
        "type": "ICAP",
        "args": {
            "path": "#TRUEFULLPATH#",
            "hostname": "icap-server",
            "serviceName": "avscan",
            "port": "1344"
        }
    }
]