DataPower

 View Only

How to scan attachments using an ICAP service

By Hermanni Pernaa posted Wed October 30, 2024 07:01 AM

  

As many of you know it is possible to add antivirus scan as part of your DataPower processing logic. Although there is a ready-made action in our processing policy editor you cannot get very far with it because DataPower doesn't actually preform the scan itself. What you need is an ICAP service endpoint that can be used to scan the files that the DataPower is processing.

Lets consider this simple example flow:

DataPower polls an SFTP server, fetches any zip files, add the files as attachment to a multipart message and sends the attachments for scanning before sending the final multipart message to the backend application server. This kind of flow can be achieved using for example the following processing rule:
As an ICAP server we are using SquidClam with C-ICAP running on a separate Linux server so lets verify the antivirus action config.
Input for the action is in our case a custom context named MULTIPART_OUTPUT which is the context that the DataPower uses to send out the message. We want to scan all the attachments using the remote ClamAv server which corresponds to the config. And least but not last, if a virus is found we simply want to reject the transaction.
Now that we have verified the ICAP action parameters lets test the setup. The SFTP poller is set to look any zip files so lets drop an simple zipped text file into the input folder.
DataPower retrieves the zip file and starts the processing. From the probe view we can see the ICAP send activity as shown below:
From the response nodeset we can see that the ICAP server has processed the file and no viruses have been found because we receive a 200 OK response.
We can also see the multipart message reach the backend application server successfully from the server debug view.
Ok! That was the happy case. How about if we encounter an infected file? Lets test this scenario with Eicar test virus.  I have downloaded the text file version of Eicar and zipped it to a normal zip file which can be dropped to the input folder as shown below.
 DataPower picks the file for processing and now we can see from the probe that the transaction has failed (red color indicates failure).
Further inspection from the transaction details shows us that the processing has stopped into the Antivirus action.
From the antivirus action execution trace we can verify the reason for the transaction getting terminated.
From the ICAP response headers we can see that the ClamAV scan found our Eicar test virus inside the zip file and thus the transaction got rejected.
This can also be verified from the HTTP server debug view which doesn't indicate any requests been received and a failure response returned by the DataPower to the SFTP server input folder.
The contents of eicar.zip.result also indicate the reason for the failed processing:
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
	<env:Body>
		<env:Fault>
			<faultcode>env:Client</faultcode>
			<faultstring>Virus Found (from client)</faultstring>
		</env:Fault>
	</env:Body>
</env:Envelope>
 All done!
This simple example demonstrated the basic functionality of the DataPower antivirus action that cooperates with Antivirus server via ICAP protocol. Hope this helps to understand the setup and how the action actually works.

#IBMChampion
0 comments
21 views

Permalink