Kaspersky Scan Engine

Verifying detection capabilities in ICAP mode

This section explains how to verify that Kaspersky Scan Engine works correctly in ICAP mode.

Verifying that Kaspersky Scan Engine detects malicious and phishing URLs correctly

To verify that Kaspersky Scan Engine detects malicious URLs correctly:

1. Make sure that the directory with response templates contains the detect_req default template.
2. Configure Kaspersky Scan Engine. Set the value of the RulesFilePath parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.
3. Start the kavicapd service.
4. Create a .txt file with the following content:

   REQMOD icap://127.0.0.1/req ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, null-body=112   GET /TesT/Wmuf_w HTTP/1.1 Host: www.bug.qainfo.ru Accept: text/html, text/plain Accept-Encoding: compress

   Download example

   Make sure that every line ends with CRLF, as required by RFC 2616.

   This is a REQMOD GET ICAP request message.

   This message requests a test page that does not contain any real malicious content.

5. Save the file with an appropriate name. In the following example this file is named icap_reqmod_malicious_detect.txt.
6. Send the message to the port that the kavicapd service listens on (port 1344 by default).

   The exact method may vary depending on the operating system. This example shows how to send the message using netcat:

   cat icap_reqmod_malicious_detect.txt | nc localhost 1344

   The kavicapd service will answer with the modified message headers and a response message that shows information about the blocked URL.

7. Verify that the test web page was blocked.

   When the web page is blocked, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the blocked web page:

   Mode: REQMOD Object name: Date: 2017-May-31 14:13:29.295710 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: http://bug.qainfo.ru/TesT/Wmuf_w

8. Create a .txt file with the following content:

   REQMOD icap://127.0.0.1/req ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, null-body=114   GET /TesT/Aphish_w HTTP/1.1 Host: www.bug.qainfo.ru Accept: text/html, text/plain Accept-Encoding: compress

   Download example

9. Save the file with and appropriate name. In the following example this file is named icap_reqmod_phishing_detect.txt.
10. Send the message to the port that the kavicapd service listens on.

    cat icap_reqmod_phishing_detect.txt | nc localhost 1344

11. Verify that the test web page was blocked.

    When the web page is blocked, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the blocked web page:

    Mode: REQMOD Object name: Date: 2017-May-31 14:13:29.295710 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: http://bug.qainfo.ru/TesT/Aphish_w

Verifying that Kaspersky Scan Engine detects malicious content in HTTP traffic correctly

To verify that Kaspersky Scan Engine detects malicious content in HTTP traffic correctly:

1. Make sure that the directory with response templates contains the detect_req default template.
2. Configure Kaspersky Scan Engine. Set the value of the RulesFilePath parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.
3. Start the kavicapd service.
4. Create a .txt file with the following content:

   REQMOD icap://127.0.0.1/req?arg=87 ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, req-body=155   POST /origin-resource/form.pl HTTP/1.1 Host: www.origin-server.example.com Accept: text/html, text/plain Accept-Encoding: compress Pragma: no-cache   44 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 0

   Download example

   Make sure that every line ends with CRLF, as required by RFC 2616.

   This is a REQMOD POST ICAP request message.

   This message contains EICAR Standard Anti-Virus Test File. The EICAR Standard Anti-Virus Test File is not a virus and is often used for testing anti-virus software. For more information about EICAR, see section "About EICAR Standard Anti-Virus Test File".

5. Save the file with and appropriate name. In the following example this file is named icap_reqmod_detect.txt.
6. Send the message to the port that the kavicapd service listens to (port 1344 by default).

   The exact method may vary depending on the operating system. This example shows how to send the message using netcat:

   cat icap_reqmod_detect.txt | nc localhost 1344

   The kavicapd service will answer with the modified message headers and a response message that shows information about the detected object.

7. Verify that EICAR Standard Anti-Virus Test File was detected.

   When the EICAR file is detected, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the detected object:

   Mode: REQMOD Object name: EICAR-Test-File Date: 2017-May-31 14:17:12.077704 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: www.origin-server.example.com/origin-resource/form.pl

Verifying that File and URL Reputation Checking works correctly

To verify that File and URL Reputation Checking works correctly:

1. Request the KSN test file from your Technical Account Manager. This file is not malicious, and is only used to verify that File and URL Reputation Checking works properly.
2. Make sure that the directory with response templates contains the detect_req default template.
3. Configure Kaspersky Scan Engine:
   • Set the value of the RulesFilePath parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.
   • Make sure that the UseKSN parameter is set to 0.
4. Start the kavicapd service.
5. Create a .txt file with the following content:

   REQMOD icap://127.0.0.1/req?arg=87 ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, req-body=155   POST /origin-resource/form.pl HTTP/1.1 Host: www.origin-server.example.com Accept: text/html, text/plain Accept-Encoding: compress Pragma: no-cache

   Download example

6. Below the content you added to the .txt file, insert a new line.
7. Below the new line, insert the contents of the KSN test file.

   Make sure that every line ends with CRLF, as required by RFC 2616.

8. Save the file with an appropriate name. In the following example this file is named icap_reqmod_detect_ksn.txt.
9. Send the message to the port that the kavicapd service listens on (port 1344 by default).

   The exact method may vary depending on the operating system. This example shows how to send the message by using the netcat utility:

   cat icap_reqmod_detect_ksn.txt | nc localhost 1344

10. Verify that the KSN test file is not detected.
11. Set the value of the UseKSN parameter of the ICAP mode configuration file to 1.
12. Restart the kavicapd service.
13. Send icap_reqmod_detect_ksn.txt to the kavicapd service again.
14. Verify that the KSN test file is detected.