Custom HTML page for ASM Virus Detection - ICAP
Hello Folks, One of customers is using KasperSky Proxy server as an ICAP integration with ASM. (Running on 11.3.0 HF8). Which is working well, and ICAP is detecting malicious and legitimate file well. Now the requirement comes as to display a custom HTML page when ASM detects a Virus based on ICAP confirmation. I have tried creating an iRule by taking help from DecCentral, and made something as following. when ASM_REQUEST_BLOCKING { set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "violation=[lindex $x $i]" } 1 { log local0. "support_id=[lindex $x $i]" } 2 { log local0. "web_application=[lindex $x $i]" } 3 { log local0. "severity=[lindex $x $i]" } 4 { log local0. "source_ip=[lindex $x $i]" } 5 { log local0. "attack_type=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" } }} if {([lindex $x 5] contains "ATTACK_TYPE_MALICIOUS_FILE_UPLOAD")} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set response "Apology PageWe are sorry,\ but the site you are looking for is temporarily out of service\ If you feel you have reached this page in error, please try again." ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } } However it seems that iRule is not triggering at all. Any idea what I am missing here? Thank you, Darshan
Remiediate Antivirus on devices that fail APM AV policy check
I am implementing APM for external device connections one of the checks is Antivirus. If the device is a corporate device I want to automate the updating of the antivirus files as much as is possible. The denominator between Corp and BYOD is a certificate. If a cert is identified can the device be directed to an Web server service on an internal (or DMZ) AV server that will provide a link to click to start the updates or start an exe/msi/pkg to push the files??? If the device is not corporate then they will be directed to a web page that explains that they have to fix it them selves :).
Upload not send to ICAP ASM V10.2.4
We are running BIG-IP 10.2.4 Build 817.61 Engineering Hotfix HF7 I'm using an ASM policy (match on a specific uri) to send uploads to the icap service. The traffic is hitting the policy, but with tcpdump is notice no requests are send to the icap service. It is configured in option>antivirus protection. In V11 there's a seperate option in a specific policy to activate it, but this is absent in 10.2. I've read you just have to configure it in poliyc>blocking>settings and tick alle the boxes for "Virus detected". Am i missing something? I think i do, but do not know what it is.
