About Antivirus Scan Filter
You can use the antivirus scan filter to configure Enterprise Gateway to interact with an Internet Content Adaptation Protocol (ICAP)-compliant server. An ICAP server is capable of hosting multiple services that you can use to implement features such as virus scanning or content filtering. Using the antivirus scan filter, Enterprise Gateway Server can leverage the ICAP protocol to scan all incoming HTTP requests and payloads for viruses.
Note: The antivirus scan filter feature is certified on c-icap server, which is an implementation of an ICAP server, and can be integrated with all ICAP-compliant virus scanning applications.
Before enabling the antivirus scan filter, ensure that the following prerequisites are met:
An ICAP-compliant server must be installed and configured in the DMZ and the
Enterprise Gateway Server must be able to access the ICAP-compliant server.
The ICAP-compliant server must have an ICAP service registered and the service must be accessible using the following format:
icap://<icap_server>:<icap_port>/serviceName
Enterprise Gateway Server must be configured to send emails so that it can send alerts in case of any configuration or connectivity issues with the ICAP server. The email alerts are sent to the e-mail address of the administrator specified in the
Internal Email field on the Settings > Resources screen.
If the antivirus scan filter is enabled as part of an Enterprise Gateway rule, Enterprise Gateway Server validates all incoming payloads by using the capabilities of the ICAP server in the following steps:
1. Enterprise Gateway Server requests that the ICAP server scan the request.
2. If the response from ICAP server includes a preview header, then Enterprise Gateway Server performs the following steps:
a. Enterprise Gateway Server responds with the amount data in bytes as specified in the preview header received from the ICAP server.
b. The ICAP server scans the preview content using the registered ICAP service.
c. If the ICAP server detects any malicious content in the request, depending on how the Enterprise Gateway rule is configured, Enterprise Gateway Server denies the request and sends an alert about the violation of the rule. Otherwise, Enterprise Gateway Server continues to send the rest of the file to the ICAP server to scan based on the server response.
3. If the response from ICAP server does not include a preview header, then Enterprise Gateway Server performs the following steps:
a. Enterprise Gateway Server requests that the ICAP server scan the entire request using the registered ICAP service.
b. If the ICAP server detects any malicious content in the request, depending on how the Enterprise Gateway rule is configured, Enterprise Gateway Server denies the request or allows the request and sends an alert about the violation of the rule.
Notes:
Enterprise Gateway supports both
REQMOD and
RESPMOD methods based on the ICAP server response to the OPTIONS method.
Enterprise Gateway Server sends a header named,
X-wMUUID with every outbound ICAP request. The value of this header is a unique identifier and can be used to differentiate one scan from another.
The
Enterprise Gateway Server returns success if ICAP server status code is 200 and HTTP status code is within the range of 200-300.
Enterprise Gateway Server returns failure if ICAP server status code is greater than or equal to 300.