This section explains how to verify that Kaspersky Scan Engine works correctly in ICAP mode.
Verifying that Kaspersky Scan Engine detects malicious and phishing URLs correctly
To verify that Kaspersky Scan Engine detects malicious URLs correctly:
RulesFilePath
parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.
REQMOD icap://127.0.0.1/req ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, null-body=112
GET /TesT/Wmuf_w HTTP/1.1 Host: www.bug.qainfo.ru Accept: text/html, text/plain Accept-Encoding: compress
|
Make sure that every line ends with CRLF, as required by RFC 2616.
This is a REQMOD GET ICAP request message.
This message requests a test page that does not contain any real malicious content.
The exact method may vary depending on the operating system. This example shows how to send the message using netcat:
cat icap_reqmod_malicious_detect.txt | nc localhost 1344 |
The kavicapd service will answer with the modified message headers and a response message that shows information about the blocked URL.
When the web page is blocked, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the blocked web page:
Mode: REQMOD Object name: Date: 2017-May-31 14:13:29.295710 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: |
REQMOD icap://127.0.0.1/req ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, null-body=114
GET /TesT/Aphish_w HTTP/1.1 Host: www.bug.qainfo.ru Accept: text/html, text/plain Accept-Encoding: compress
|
cat icap_reqmod_phishing_detect.txt | nc localhost 1344 |
When the web page is blocked, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the blocked web page:
Mode: REQMOD Object name: Date: 2017-May-31 14:13:29.295710 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: |
Verifying that Kaspersky Scan Engine detects malicious content in HTTP traffic correctly
To verify that Kaspersky Scan Engine detects malicious content in HTTP traffic correctly:
RulesFilePath
parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.
REQMOD icap://127.0.0.1/req?arg=87 ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, req-body=155
POST /origin-resource/form.pl HTTP/1.1 Host: www.origin-server.example.com Accept: text/html, text/plain Accept-Encoding: compress Pragma: no-cache
44 X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 0
|
Make sure that every line ends with CRLF, as required by RFC 2616.
This is a REQMOD POST ICAP request message.
This message contains EICAR Standard Anti-Virus Test File. The EICAR Standard Anti-Virus Test File is not a virus and is often used for testing anti-virus software. For more information about EICAR, see section "About EICAR Standard Anti-Virus Test File".
The exact method may vary depending on the operating system. This example shows how to send the message using netcat:
cat icap_reqmod_detect.txt | nc localhost 1344 |
The kavicapd service will answer with the modified message headers and a response message that shows information about the detected object.
When the EICAR file is detected, the kavicapd service returns the detect_req HTML response template. The response template contains the following information about the detected object:
Mode: REQMOD Object name: EICAR-Test-File Date: 2017-May-31 14:17:12.077704 ICAPD version: KL ICAP Service v1.0 (KAV SDK v8.5.1.83) KAV SDK Version: KAV SDK v8.5.1.83 URL: www.origin-server.example.com/origin-resource/form.pl |
Verifying that File and URL Reputation Checking works correctly
To verify that File and URL Reputation Checking works correctly:
RulesFilePath
parameter to the directory that contains kavicapd_gui_rules.conf, sample service rules file that is included in the distribution kit.UseKSN
parameter is set to 0
.
REQMOD icap://127.0.0.1/req?arg=87 ICAP/1.0 Host: 127.0.0.1 Encapsulated: req-hdr=0, req-body=155
POST /origin-resource/form.pl HTTP/1.1 Host: www.origin-server.example.com Accept: text/html, text/plain Accept-Encoding: compress Pragma: no-cache
|
Make sure that every line ends with CRLF, as required by RFC 2616.
The exact method may vary depending on the operating system. This example shows how to send the message by using the netcat utility:
cat icap_reqmod_detect_ksn.txt | nc localhost 1344 |
UseKSN
parameter of the ICAP mode configuration file to 1
.