Scan Using ICAP-Enabled Antivirus Assertion

The Scan Using ICAP-Enabled Antivirus assertion allows the gateway to connect to an antivirus server that supports the ICAP protocol, such as McAfee®, Sophos®, or Symantec™.
gateway92
The 
Scan Using ICAP-Enabled Antivirus 
assertion allows the 
Layer7 API Gateway
to connect to an antivirus server that supports the ICAP protocol, such as McAfee®, Sophos®, or Symantec™.
Prerequisites:
  • Ensure your antivirus server is enabled for the ICAP protocol.
  • For McAfee VirusScan, configure the McAfee server to add virus information to the ICAP response headers
(1) Knowledge of RFC3507 is required to use this assertion. Consult with your ICAP vendor to receive a sample HTTP request including required message header fields. Your vendor may also have client tools available to test the request before implementing in policy. (2) This assertion supports RESPMOD (Response Modification Mode) only.
Contents:
Context Variables
This assertion populates the following variables with information about a detected virus. The variables are multi-valued, to accommodate multiple viruses found. The context variables are not set if no viruses are found.
Variable
Description
icap.response.infected
Lists the infected part ID, content ID, filename or context variable name.
icap.response.header.names.X
Header names as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part.
icap.response.header.values.X
Header values as returned by the ICAP server, where 'X' is an index that corresponds to the index of the infected part.
icap.response.header.value.X.headerName
The value of the specified header name for the infection part 'X'.
Cluster Properties
This assertion uses the following cluster properties.
Property
Description
icap.channelIdleTimeout 
Maximum idle time for a connected channel in the connection pool to an ICAP server. Any channels exceeding this timeout value will be disconnected and removed from the pool. Value is a time unit; the allowable range is between 1 second and 1 hour.
Default:
1m
io.failoverServerRetryDelay
This property is used in the Failover Strategy. It controls the delay before the Gateway retries a failed server. For more information, see Input/Output Cluster Properties.
Assertion Properties
Setting
What you should know...
Add Server
Edit Server
URL of the ICAP Server. You may reference context variables.
Connection Timeout
Connection timeout, in seconds (between 1 and 3600). You may reference context variables.
Read Timeout
The number of seconds that Gateway should wait for the server to send a response, which is the start of the response time to end of the request time.
Timeout value is in seconds (between 1 and 3600). You may reference context variables.
Response Read Timeout
The number of seconds that Gateway should wait for the server to send the last byte of the response, which is the time period to read the entire response from server (end of the response time to the start of the response time).
Timeout value is in seconds (between 1 and 3600). You may reference context variables.
Test Connection
Tests the connection to the ICAP Server. Only works if an explicit URL is entered. Does not work if context variables are referenced.
Service Parameters
Any optional service parameters required by the antivirus server. Specify the parameter name, value, and type (Header or Query).
You may reference context variables for the name or value.
Continue processing if virus found
If selected, the assertion does not fail if a virus is found; otherwise, the assertion fails.
Max MIME Depth
How deep the assertion should traverse in the event of nested multiparts.
Failover Strategy
How the Gateway responds when a server fails to respond:
  • Ordered Sticky with Failover: 
    The Gateway sends service messages to the first server in the list until that server does not respond (fails). When this occurs, the Gateway tries the next server in the list.
  • Random Sticky with Failover:
    The Gateway chooses a server randomly at the beginning of each session and uses it for the duration of the session. If the chosen server fails, the Gateway chooses another server at random.
  • Round Robin:
    The Gateway rotates through the server list on a request-by-request basis (round-robin) from the first server, to the second server, and so on. When the end of the server list is reached, the cycle continues from the top of the list.
Variable Prefix
Enter a prefix that is added to the context variables created by this assertion. This prefix ensures uniqueness and prevents the variables from overwriting each other when multiple instances of this assertion appear in a policy.
Default:
icap.response
Frequently Asked Questions
Question
Answer
How can I monitor the number of connections to the antivirus server?
Use the
netstat
command on the Gateway:
netstat -an -t 1 | grep ":1344"
How can I limit the number of requests?
Add an Apply Rate Limit Assertion to the service policy.
This assertion is not working properly with McAfee Antivirus
Check that your antivirus server is configured to add virus information to the ICAP response headers.