For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mandrake's avatar
Mandrake
Icon for Nimbostratus rankNimbostratus
Apr 28, 2014

Metascan ICAP

Hello Geeks,

 

I am trying to integrate metascan icap server with f5 to scan http uploads and allow/block based on that, unfortunately metascan is able to scan but unable to send the response back in required format, as i understand detected/clean info should be in one of the response headers.

 

In this case, it's in content.

 

So ideally can we have an irule which looks for certain string in content from icap server and take action ?(allow/block)

 

Any help is appreciated.

 

Thanks

 

application delivery
ASM Advanced WAF
deployment
devops
iRules
LTM
security

1 Reply

  • Mandrake's avatar
    Mandrake
    Icon for Nimbostratus rankNimbostratus
    Apr 28, 2014

    Following is the response from ICAP server:

     

    ICAP/1.0 201 Created Date: Tue, 25 Mar 2014 14:28:27 GMT ISTag: "09201403250945" Encapsulated: res-hdr=0, res-body=107 Server: Metascan/3700 Connection: close

     

    HTTP/1.1 403 Forbidden Date: Tue, 25 Mar 2014 14:28:27 GMT Pragma: no-cache Content-Type: text/html

     

     

    .

     

     

    .

    ..File blocked ..

    C:\Users\Administrator\Desktop\icap test\eicar.com - Copy.txt has been blocked by your administrator.s security policy because a threat (EICAR_Test) was detected by Metascan.

     

    ..

    Your administrator is using OPSWAT’s Metascan technology to scan downloads with multiple anti-malware engines. See additional ways Metascan can be used by trying the Metascan Client demo for scanning endpoint processes and files or the Metascan Online file scanning service.

     

    .