Using Kaspersky Scan Engine with F5 BIG-IP Application Security Manager

You can configure Kaspersky Scan Engine to work with F5 BIG-IP® Application Security Manager™ (hereinafter ASM). For convenience, this process is separated into several steps.

Step I. Configuring Kaspersky Scan Engine

To configure Kaspersky Scan Engine, do one of the following:

In the ICAP mode configuration file, set the value of the VirusNameICAPHeader element to X-Virus-ID.
In the Service page of Kaspersky Scan Engine GUI, set the value of the Detected object name HTTP header field to X-Virus-ID.

Step II. Configuring ASM

To configure ASM:

Log in to the Configuration utility.
Go to Security > Options > Application Security > Integrated Services > Anti-Virus Protection.

Anti-Virus Protection
In the Server Host Name/IP Address field, specify the IP address of the Kaspersky Scan Engine ICAP server.
In the Server Port Number field, specify the port of the Kaspersky Scan Engine ICAP server in or leave the default value of 1344.
Select the Guarantee Enforcement check box if you want the system to perform virus checking even if this may slow your web application.
Click Save.
To apply the security policy changes immediately, click Apply Policy.
Go to Security > Options > Application Security > Advanced Configuration > System Variables.
Configure the internal variables:
- In ASM 13.1.X - 16.X:
  1. For the icap_uri setting, enter /req in the Parameter Value setting. This is the default value in ReqModeAddress.
  2. For the virus_header_name setting, enter X-Virus-ID in the Parameter Value setting.
  3. Select Update.
- In ASM 11.X - 13.0.X:
  1. For the icap_uri setting, enter /req in the Parameter Value setting. This is the default value in ReqModeAddress.
  2. For the virus_header_name setting, enter X-Virus-ID.
  3. Select Save.

Configuring blocking of detected objects

To configure blocking of detected objects:

In ASM 13.1.X - 16.X:
1. Log in to the Configuration utility.
2. Go to Security > Application Security > Policy Building > Learning and Blocking Settings.
3. Set the view to Advanced.
4. Expand Antivirus (expand Antivirus Protection in versions earlier than 14.X) and select either or both of the Alarm and Block check boxes for the Virus Detected violation.
5. Click Save.
6. To activate the security policy changes immediately, select Apply Policy.
In ASM 12.X:
1. Log in to the Configuration utility.
2. Go to Security > Application Security > Policy Building > Learning and Blocking Settings.
3. Set the view to Advanced.
4. Expand Policy General Features and select either or both of the Alarm and Block check boxes for the Virus Detected violation.
5. Click Save.
6. To apply the security policy changes immediately, click Apply Policy.
In ASM 11.X:
1. Log in to the Configuration utility.
2. Go to Security > Application Security > Blocking.
3. Under Violations List, for Negative Security Violations select either or both of the Alarm and Block check boxes for the Virus Detected violation.
4. Click Save.
5. To activate the security policy changes immediately, click Apply Policy.

Configuring scanning of uploaded files and email attachments

To configure scanning of uploaded files and email attachments:

Go to Security > Application Security > Integrated Services > Anti-Virus Protection.
Select the relevant security policy from the list.
Select the Inspect file uploads within HTTP requests check box.
To scan SOAP attachments, move the relevant XML profiles from the Antivirus Protection Disabled list to the Antivirus Protection Enabled list.
Click Save.
To apply the security policy changes immediately, click Apply Policy.

Apply Policy

Reviewing the detect objects

To view reports on detected objects:

Log in to the Configuration utility.
Go to Security > Reporting > Application > Charts.
Select Top Viruses Detected in the charts list.
The system will display the detected viruses over time.

Page top