Virtual Appliance support for ICAP scan

Views:

File Security Virtual Appliance exposes a virus-scanning service via the ICAP protocol (RFC 3507). ICAP clients such as proxies and secure web gateways can forward files to the Virtual Appliance for scanning before allowing them through.

ICAP Server Endpoint

icap://<host>:<port><path>

Component	Description	Default (SG)
`host`	File Security Virtual Appliance instance address	—
`port`	ICAP listening port for external clients	`31344`
`path`	Scan endpoint path	`/avscan`

Example:

icap://host:31344/avscan

Supported ICAP methods: REQMOD, RESPMOD, OPTIONS

Request Parameters

Query Parameters

Parameter	Value	Description
`pml`	`true`	Enable Predictive Machine Learning (PML) scan in addition to the standard engine

To enable PML, append ?pml=true to the ICAP service path

Example:

icap://host:31344/avscan?pml=true

Example using c-icap-client, pass it as part of the -s option:

c-icap-client -i host -p 31344 -s "avscan?pml=true" -v -f /path/to/sample.exe
                  -x "X-scan-file-name:
      sample.exe"

File Name for Scan Result Reporting

The scanner extracts the file name from the ICAP request for scan result feedback to TrendAI Vision One™. If a malicious file is detected or a scan error occurs, the file name appears in the event table on the TrendAI Vision One™ console.

The file name is resolved from the following sources, in order of priority:

Source	Example	Description
`X-scan-file-name` header	`-x "X-scan-file-name: sample.exe"`	Custom ICAP request header. Takes priority when present.
Encapsulated request URI path	`-req http://localhost/sample.exe`	The path component of the encapsulated HTTP request URI (per RFC 3507). Used as fallback when `X-scan-file-name` is not provided.

Example using X-scan-file-name header:

c-icap-client -i <scanner_host> -p 1344 -s scan -v -f /path/to/sample.exe -x
                  "X-scan-file-name: sample.exe"

Example using encapsulated request URI path:

c-icap-client -i <scanner_host> -p 1344 -s scan -v -f /path/to/sample.exe -req
                  http://localhost/sample.exe

Note

Some ICAP clients, such as Dell OneFS, pass the file path via the encapsulated request URI. The scanner extracts the file name from this path automatically when the X-scan-file-name header is not present.

Response

Result	ICAP response	Description
Clean	`204 No Content`	No threat detected; file is allowed through.
Infected	`200 OK (with 403 Forbidden)`	Threat detected; file is blocked.
Error	`200 OK (with 500 / 400)`	Scan failed or request is invalid. For more information, see ICAP scanner responses.