Scan Using ICAP-Enabled Antivirus Assertion
The Scan Using ICAP-Enabled Antivirus assertion allows the gateway to connect to an antivirus server that supports the ICAP protocol, such as McAfee® or Symantec™.
9-5
The
Scan Using ICAP-Enabled Antivirus
assertion allows the Layer7 API Gateway
to connect to an antivirus server that supports the ICAP protocol, such as McAfee® or Symantec™.Prerequisites:
- Ensure your antivirus server is enabled for the ICAP protocol.
- For McAfee VirusScan, configure the McAfee server to add virus information to the ICAP response headers
(1) Knowledge of RFC3507 is required to use this assertion. Consult with your ICAP vendor to receive a sample HTTP request including required message header fields. Your vendor may also have client tools available to test the request before implementing in policy.
(2) This assertion supports RESPMOD (Response Modification Mode) and REQMOD (Request Modification Mode).
(3) The HTTP request that is embedded in the ICAP request is HTTP/1.1. The embedded HTTP request includes a Host header. This Host header value will be the cluster host name. In the absence of the cluster host name, the Host header value will be the host name of the Gateway.
Contents:
Context Variables
This assertion populates the following variables with information about a detected virus. The variables are multi-valued, to accommodate multiple viruses found. The context variables are not set if no viruses are found.
Variable | Description |
icap.response.infected | Lists the infected part ID, content ID, filename or context variable name. |
icap.response.header.names.X | Header names as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part. |
icap.response.header.values.X | Header values as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part. |
icap.response.header.value.X.headerName | The value of the specified header name for the infection part 'X'. |
Cluster Properties
This assertion uses the following cluster properties.
Property | Description |
icap.channelIdleTimeout | Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour. Sample values look like 30s, 1m or 1h. If only an integer is provided with no suffix, the value is considered in minutes. This change comes into effect after Gateway restart. Default: 1m |
io.failoverServerRetryDelay | This property is used in the Failover Strategy. It controls the delay before the Gateway retries a failed server. For more information, see Input/Output Cluster Properties. |
icap.maxResponseHeaderSize | Maximum size for an ICAP response header. Configure this value as per the maximum ICAP response header sent by ICAP server. Default: 8192 |
icap.optionsRequestInterval | Interval in minutes after which Gateway makes ICAP OPTIONS method call to ICAP server to get the Preview length. Sample values look like 30s, 10m, or 1h. If only an integer is provided with no suffix, the value is considered in minutes. Default: 30m |
icap.response.maxIcapHeaderSize | Maximum number of bytes in all ICAP Response Headers concatenated.
Default: 8192 Note: The Scan Using ICAP-Enabled Antivirus assertion throws an exception when the number of the bytes of all ICAP Response Headers exceeds the default maximum value of 8192. Update this cluster-wide property value to -1 to set it to the maximum integer, 2147483647. |
Assertion Properties
Setting | What you should know... |
Add Server
Edit Server | URL of the ICAP Server. You may reference context variables. |
ICAP Method | Specifies if the ICAP method is REQMOD or RESPMOD.
Default: RESPMOD |
Origin Resource Path | The origin resource path to be added in the embedded HTTP Request line. Default: / |
Connection Timeout | Connection timeout, in seconds (between 1 and 3600). You may reference context variables. |
Read Timeout | The number of seconds that Gateway should wait for the server to send a response, which is the start of the response time to end of the request time. Timeout value is in seconds (between 1 and 3600). You may reference context variables. |
Response Read Timeout | The number of seconds that Gateway should wait for the server to send the last byte of the response, which is the time period to read the entire response from server (end of the response time to the start of the response time). Timeout value is in seconds (between 1 and 3600). You may reference context variables. |
Test Connection | Tests the connection to the ICAP Server. Only works if an explicit URL is entered. Does not work if context variables are referenced. |
Service Parameters | Any optional service parameters required by the antivirus server. Specify the parameter name, value, and type (Header or Query). You may reference context variables for the name or value. Gateway can send preview data to ICAP server. Add Preview header and specify a value in bytes for Gateway to include preview data in the ICAP request that it sends to the ICAP server. Gateway makes OPTIONS method call to the ICAP server at regular interval (that is determined by icap.optionsRequestInterval cluster-wide property) and gets the supported preview length. The actual preview data sent by Gateway is the minimum value of preview length sent by the ICAP server and the Preview header specified in the Service Parameters.For example, if the Preview header value is 100 bytes and the supported preview length by ICAP server is 50 bytes, Gateway sends 50 bytes of preview data. If the Preview header value is 20 bytes and the supported preview length by ICAP server is 50 bytes, Gateway sends 20 bytes of preview data. |
Continue processing if virus found | If selected, the assertion does not fail if a virus is found; otherwise, the assertion fails. |
Max MIME Depth | How deep the assertion should traverse in the event of nested multiparts. |
Failover Strategy | How the Gateway responds when a server fails to respond:
|
Variable Prefix | Enter a prefix that is added to the context variables created by this assertion. This prefix ensures uniqueness and prevents the variables from overwriting each other when multiple instances of this assertion appear in a policy. Default: icap.response |
Frequently Asked Questions
Question | Answer |
How can I monitor the number of connections to the antivirus server? | Use the netstat command on the Gateway:netstat -an -t 1 | grep ":1344" |
How can I limit the number of requests? | Add an Apply Rate Limit Assertion to the service policy. |
This assertion is not working properly with McAfee Antivirus | Check that your antivirus server is configured to add virus information to the ICAP response headers. |