5 Replies Latest reply on Sep 13, 2016 7:51 AM by slizka

    ICAP Server

      Hi,

       

      I'm new to the MWG and trying to use it as an ICAP server.  The MWG will not be used for any other purpose, so I'm looking implement the most basic ruleset - i.e. return "file clean" or "virus found" to an ICAP client.  Any pointers on the best way to set up the MWG to do this would be really appreciated.

       

      Thanks,

       

      Chris

        • 1. Re: ICAP Server

          This is the one I use for pure ICAP scanning of malware.

           

           

          ICAP Server
          Disabled
          Applies to Requests: True / Responses: True / Embedded Objects: True
          1: Connection.Protocol equals "ICAP"
          EnabledRuleActionEventsComments
          DisabledX-Client-IP
          1: Client.IP is in range 192.168.2.0/24
          2: OR String.ToIP(Header.ICAP.Request.Get("X-Client-IP")) is in range 192.168.2.0/24
          ContinueExample of how to use X-Client-IP: header.
          DisabledX-Authenticated-Groups
          1: Authentication.UserGroups contains at least one match *Domain Admins*
          2: OR String.Base64Decode(Header.ICAP.Request.Get("X-Authenticated-Groups")) matches *Domain Admins*
          ContinueExample of how to use X-Authenticated-Groups: header.
          DisabledX-Authenticated-User
          1: Authentication.UserName equals "user"
          2: OR String.Base64Decode(Header.ICAP.Request.Get("X-Authenticated-User")) equals "Local://user"
          ContinueExample of how to use the X-Authenticated-User: header.
          DisabledLookup Geolocation
          1: URL.Geolocation<CloudOnly> is in list Geolocation: Country List
          ContinueSet User-Defined.Geolocation = URL.Geolocation<CloudOnly>
          Header.ICAP.Response.Add("X-Geolocation",User-Defined.Geolocation)
          Lookup country the URL resides in, in case you want to block by country code.
          EnabledEnable Composite Opener
          Always
          ContinueComposite Opener<Default>Opens the documents for scanning.
          EnabledMediaType: Detect
          1: List.OfMediaType.IsEmpty(MediaType.EnsuredTypes) equals false
          ContinueHeader.ICAP.Response.Add("X-Media-Type",List.OfMediaType.ToString(MediaType.Ensu redTypes))Validate the actual media type by doing magic byte checking.
          DisabledMediaType: Block Not Detected
          1: List.OfMediaType.IsEmpty(MediaType.EnsuredTypes) equals true
          Block<Media Type (Not Detected)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          Block if not in list of known media types.
          DisabledMediaType: Blocked Downloads
          1: MediaType.EnsuredTypes at least one in list MediaType: Blocked Downloads°
          Block<Media Type (Block List)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          If media type is in given list during download, the user will be blocked.
          DisabledMediaType: Block Encrypted
          1: Body.IsEncryptedObject equals true
          Block<Media Type (Not Supported Archive)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          Block if file is password protected.
          EnabledMediaType: Block Multipart Archive
          1: Body.IsMultiPartObject equals true
          Block<Media Type (Multipart Archive)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          Block if file is a multi-part archive.
          DisabledMediaType: Block Corrupted Archive
          1: Body.IsCorruptedObject equals true
          Block<Media Type (Common)>Statistics.Counter.Increment("BlockedByMediaFilter",1)<Default>
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          Block if file is corrupted and cannot be opened.
          EnabledURL Filter: Blocked Categories
          1: URL.Categories<Default> at least one in list ICAP: Blocked Categories
          Block<URL Blocked>Statistics.Counter.Increment("BlockedByURLFilter",1)<Default>Block if URL is in a malicious category.
          EnabledAnti-Malware: ICAP Setting
          1: Antimalware.Infected<Gateway Anti-Malware: ICAP Setting> equals true
          Block<Virus Found>Statistics.Counter.Increment("BlockedByAntiMalware",1)<Default>
          Header.ICAP.Response.Add("X-Virus-Name",List.OfString.ToString(Antimalware.Virus Names<Gateway Anti-Malware: ICAP Setting>))
          Header.ICAP.Response.Add("X-WWBlockResult",Number.ToString(Block.ID))
          Header.ICAP.Response.Add("X-Block-Reason",Block.Reason)
          Block, if a virus was found in a response or embedded object
          EnabledAnti-Malware: Scan Completed
          Always
          ContinueSet User-Defined.Body.Modified = Body.Modified
          Set User-Defined.Antimalware.Scanned = true
          Validate that Antimalware scanning occured for logs. If it gets to here, it passed the Antimalware rules and is clean. Body.Modified indicates if a page was cleaned of mobile code.
          EnabledStop Cycle
          Always
          Stop CycleNo further processing.


           

          Message was edited by: eelsasser Made changes to the rules. on 6/6/12 8:42:32 AM EDT
          • 2. Re: ICAP Server
            oliver.huf

            Thanks a bunch!!!

             

            Oliver.

            • 3. Re: ICAP Server
              slizka

              Hi,

               

              I just wonder if there's some updated version of this ICAP policy or if it's still usable with latest version(currently 7.6.2.2).

               

              Thanks.

               

              Br. Ales

              • 4. Re: ICAP Server

                It should work the same on 7.6.2. I use it every day.

                • 5. Re: ICAP Server
                  slizka

                  Great, thanks for the confirmation...