Tutorial - ICAP Interface for Virus Scanning and Malware Detection
In this tutorial, you will:
Create a rule task to send a file to an Internet Content Adaptation Protocol server for antivirus scanning.
Verify that an infected file is reported and blocked.
Access the scanning details of the file.
Overview
The Internet Content Adaptation Protocol (ICAP) is a lightweight HTTP-like protocol specified in RFC 3507. ICAP is generally used to implement virus scanning and content filters in transparent HTTP proxy caches.
ICAP integration is a common feature of MFT solutions that triggers an antivirus scan before sending a file or after receiving a file. The file can be forwarded to an ICAP server with the ICAP protocol. The ICAP server proceeds with the antivirus scan and reports the results in the ICAP response message.
The ICAP integration has been tested with the c-icap server and follows the protocol standards.
Configuring UDMG to Send File to ICAP Server
ICAP Processing Task
The UDMG ICAP task allows the exchange with a server complying with the RFC 3507 standard known as ICAP. It is used to transfer the contents of a file to an ICAP service via a RESPMOD command and to obtain validation of the file by the service (status 204).
The task can be configured for every transfer rule for which ICAP integration is required.
The table below shows the list of parameters that are accepted by the ICAP task. Please check the values relevant to your setup with the ICAP antivirus server administrator.
Parameter | Description |
---|---|
| The actual path of the file on the disk, the substitution variable #TRUEFULLPATH# will be replaced by the actual location of the file being transferred. |
| The hostname or IP address of the ICAP; server defaults to "localhost". |
| The port of the ICAP server; defaults to 1344. |
| The name of the ICAP service on the endpoint; defaults to "avscan". |
| The timeout while waiting for a response from the ICAP server, in seconds; defaults to 10s. |
| The number of times allowed to retry after a connection's failure; defaults to 1. |
| The identifier of the partner who requested the transfer. |
| Specifies the receive size to use; defaults to 65536 bytes. |
| Specifies the send size to use for chunk-encoding; defaults to 8192 bytes. |
| Do not raise an error if the file cannot be sent to the ICAP server due to network issues or the server is not available; defaults to false. |
| Do not raise an error if the file is too big for scanning, bigger than maxSize; defaults to false. |
[
{
"type": "ICAP",
"args": {
"path": "#TRUEFULLPATH#",
"hostname": "icap-server",
"serviceName": "avscan",
"port": "1344"
}
}
]
Step 1 | From the UDMG Admin UI navigation pane, select Rules. The Rules list displays. |
---|---|
Step 2 | Select a rule from the Rule list or create a new one. The Rule Details displays. |
Step 3 | Scroll down to the Post-Tasks box on the Rule tab.
|
Step 4 | Click Save icon (). |
Step 5 | The rule is updated to include the ICAP task as part of the UDMG file transfer workflow. |
Step 6 | Proceed with attempting to transfer the EICAR Anti-Virus Test File. |
Step 7 | After the file upload, it is transferred to the ICAP antivirus server during the post-task processing and stops in ERROR status. The Error Message indicates that an infection is found. If the ICAP antivirus server does not find an infection, then the transfer is considered complete with a successful status. |
Step 8 | The infection error details can be forwarded to UAC as a universal event. See the Universal Event Integration documentation for the list of corrective actions that can be triggered by the Controller. |
Step 9 | The scanning details from the interrogation to the ICAP antivirus server are kept as transfer metadata with the "udmg_icap" prefix. In particular, the X-headers show the type of infection as reported by the server. The scanning details can be displayed using the command line interface and the ‘transfer get’ command. $ udmg-client transfer get 56 ● Transfer 56 (receive as server) [ERROR] Remote ID: 1765696868924260352 Protocol: sftp Rule: stonebranch-sftp-01_receive Requester: user Requested: stonebranch-sftp-01 Local filepath: /home/udmg/udmg-server/data/data/sftp-01/in/eicar-com.zip Remote filepath: eicar-com.zip File size: 184 Start date: 2024-03-07T11:11:53.265317Z End date: N/A Step: StepPostTasks Bytes transferred: 184 Error code: TeExternalOperation Error message: Post-tasks failed: [1/1] Task ICAP @ stonebranch-sftp-01_receive POST[0]: error file infected detected Transfer info: - udmg_file_computed_extension: .zip - udmg_file_computed_mimetype: application/zip - udmg_icap_Connection: keep-alive - udmg_icap_Encapsulated: res-hdr=0, res-body=108 - udmg_icap_Istag: CI0001-66wOY91q7DqWWdCBj7SFEgAA - udmg_icap_Server: C-ICAP/0.5.3 - udmg_icap_Status: OK - udmg_icap_Statuscode: 200 - udmg_icap_X-Infection-Found: Type=0; Resolution=2; Threat=Win.Test.EICAR_HDB-1; - udmg_icap_X-Violations-Found: 1 - udmg_session_id: 3D3D824887D503B2AA11362490F2301FEC3A64803148C2F48CC7546CD5CE32B8 - udmg_xfer_log: /var/opt/udmg/logs/56.log Or on the Info tab of the transfer details on UDMG Admin UI. The transfer log also shows an error with an infection detection. |
Checking Connectivity to ICAP Server
A simple ICAP client tool is provided with the UDMG software package to test the connectivity and the validity of the configuration options.
Usage of /opt/udmg/bin/icap-client: -filename string Specifies the path of the file. -maxSize int Specifies the maximum size of a file to use. (default 2048) -port int Specifies the port to use. (default 1344) -previewSize int Specifies the preview size to use . -retry int Specifies the maximum retry to send the file. (default 1) -secureConnection Use a secure connection. -service string Specifies the ICAP service name. (default "avscan") -timeout duration Specifies the time limit to use in minutes. (default 10m0s) -to string Specifies the address (via DNS or IP) of the ICAP server (default "localhost") -vendor string Specifies the ICAP service vendor. (default "c-icap") -version Show Version.
See additional details on the Utilities Reference Guide page: icap-client.