cancel
Showing results for 
Search instead for 
Did you mean: 

ICAP Server

Hi,

I'm new to the MWG and trying to use it as an ICAP server.  The MWG will not be used for any other purpose, so I'm looking implement the most basic ruleset - i.e. return "file clean" or "virus found" to an ICAP client.  Any pointers on the best way to set up the MWG to do this would be really appreciated.

Thanks,

Chris

0 Kudos
5 Replies
eelsasser
Level 15

Re: ICAP Server

This is the one I use for pure ICAP scanning of malware.

ICAP Server
Disabled
Applies to Requests: True / Responses: True / Embedded Objects: True
1: Connection.Protocol equals "ICAP"
EnabledRuleActionEventsComments
DisabledX-Client-IP
1: Client.IP is in range 192.168.2.0/24
2: OR String.ToIP(Header.ICAP.Request.Get("X-Client-IP")) is in range 192.168.2.0/24
ContinueExample of how to use X-Client-IP: header.
DisabledX-Authenticated-Groups
1: Authentication.UserGroups contains at least one match *Domain Admins*
2: OR String.Base64Decode(Header.ICAP.Request.Get("X-Authenticated-Groups")) matches *Domain Admins*
ContinueExample of how to use X-Authenticated-Groups: header.
DisabledX-Authenticated-User
1: Authentication.UserName equals "user"
2: OR String.Base64Decode(Header.ICAP.Request.Get("X-Authenticated-User")) equals "Local://user"
ContinueExample of how to use the X-Authenticated-User: header.
DisabledLookup Geolocation
1: URL.Geolocation<CloudOnly> is in list Geolocation: Country List
ContinueSet User-Defined.Geolocation = URL.Geolocation<CloudOnly>
Header.ICAP.Response.Add("X-Geolocation",User-Defined.Geolocation)
Lookup country the URL resides in, in case you want to block by country code.
EnabledEnable Composite Opener
Always
ContinueComposite Opener<Default>Opens the documents for scanning.
EnabledMediaType: Detect
1: List.OfMediaType.IsEmpty(MediaType.EnsuredTypes) equals false
ContinueHeader.ICAP.Response.Add("X-Media-Type",List.OfMediaType.ToString(MediaType.EnsuredTypes))Validate the actual media type by doing magic byte checking.
DisabledMediaType: Block Not Detected
1: List.OfMediaType.IsEmpty(MediaType.EnsuredTypes) equals true
Block<Media Type (Not Detected)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
Block if not in list of known media types.
DisabledMediaType: Blocked Downloads
1: MediaType.EnsuredTypes at least one in list MediaType: Blocked Downloads°
Block<Media Type (Block List)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
If media type is in given list during download, the user will be blocked.
DisabledMediaType: Block Encrypted
1: Body.IsEncryptedObject equals true
Block<Media Type (Not Supported Archive)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
Block if file is password protected.
EnabledMediaType: Block Multipart Archive
1: Body.IsMultiPartObject equals true
Block<Media Type (Multipart Archive)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
Block if file is a multi-part archive.
DisabledMediaType: Block Corrupted Archive
1: Body.IsCorruptedObject equals true
Block<Media Type (Common)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
Block if file is corrupted and cannot be opened.
EnabledURL Filter: Blocked Categories
1: URL.Categories<Default> at least one in list ICAP: Blocked Categories
Block<URL Blocked>Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>Block if URL is in a malicious category.
EnabledAnti-Malware: ICAP Setting
1: Antimalware.Infected<Gateway Anti-Malware: ICAP Setting> equals true
Block<Virus Found>Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>
Header.ICAP.Response.Add("X-Virus-Name",List.OfString.ToString(Antimalware.VirusNames<Gateway Anti-Malware: ICAP Setting>))
Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
Block, if a virus was found in a response or embedded object
EnabledAnti-Malware: Scan Completed
Always
ContinueSet User-Defined.Body.Modified = Body.Modified
Set User-Defined.Antimalware.Scanned = true
Validate that Antimalware scanning occured for logs. If it gets to here, it passed the Antimalware rules and is clean. Body.Modified indicates if a page was cleaned of mobile code.
EnabledStop Cycle
Always
Stop CycleNo further processing.


Message was edited by: eelsasser
Made changes to the rules. on 6/6/12 8:42:32 AM EDT
0 Kudos
oliver.huf
Level 7

Re: ICAP Server

Thanks a bunch!!!

Oliver.

0 Kudos
slizka
Level 7

Re: ICAP Server

Hi,

I just wonder if there's some updated version of this ICAP policy or if it's still usable with latest version(currently 7.6.2.2).

Thanks.

Br. Ales

0 Kudos
eelsasser
Level 15

Re: ICAP Server

It should work the same on 7.6.2. I use it every day.

0 Kudos
slizka
Level 7

Re: ICAP Server

Great, thanks for the confirmation...

0 Kudos