This section describes the recommended settings for Kaspersky Scan Engine in ICAP mode.
If you use the Kaspersky Scan Engine GUI, specify the recommended parameters as described in the table below.
Recommended settings for ICAP mode in the Kaspersky Scan Engine GUI
Settings in the Kaspersky Scan Engine GUI |
Recommended settings |
---|---|
Service > Processes |
Equal to the number of processor cores |
Service > Threads |
Twice the value of |
Service > Sessions |
See the description of |
Service > Partial mode |
On |
Service > Delay |
10 |
Service > Chunk size |
4 |
Service > Prevent re-downloading |
On |
Service > Maximum cache size |
5000 |
Service > Lifetime for blocked URLs |
1800 |
Service > Keep-alive |
See the description of |
Scanning > Skip large objects |
On 10343 KB (10.1 MB) Get an updated value from your TAM at least once a year. |
Scanning > Types of files to scan |
Select the checkboxes:
|
Scanning > Heuristic analysis level |
Low |
Scanning > Object scan timeout |
10000 (10 seconds) |
Scanning > Maximum depth |
5 |
Scanning > Scan scope in Request mode |
URL (scans only the requested URLs) |
Scanning > Scan scope in Response mode |
Files |
Scanning > Enable reputation checking |
See the description of |
If you do not use the Kaspersky Scan Engine GUI, specify the recommended parameters in the kavicapd.xml configuration file as described in the table below.
Recommended settings for ICAP mode in the configuration file
Parameter in kavicapd.xml |
Recommended settings |
---|---|
ScannersCount |
Equal to the number of processor cores |
ThreadsCount |
Twice the value of |
MaxIcapSessionsCount |
See the description of |
QueueLen |
|
RAMUsageLimit |
|
ScanMaxFileSize |
10343 KB (10.1 MB) Get an updated value from your TAM at least once a year. |
ScanningMode |
Specify the flags:
|
ScanTimeout |
10000 (10 seconds) |
MaxArchivesScanningDepth |
5 |
ScanInReqMode |
|
ScanInRespMode |
|
TransferBeforeScanEnding |
|
Delay (Attribute of TransferBeforeScanEnding) |
10 |
ChunkSize (Attribute of TransferBeforeScanEnding) |
4 |
BlockedUrlCacheEnabled (Attribute of TransferBeforeScanEnding) |
1 |
BlockedUrlCacheKb (Attribute of TransferBeforeScanEnding) |
5000 |
BlockedUrlCacheTtlSec (Attribute of TransferBeforeScanEnding) |
1800 |
UseKSN |
See the description of |
KeepAliveSettings |
See the description of |
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Processes.
The recommended number of scanning processes is equal to the number of processor cores. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor, set ScannersCount
to 4
.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Threads.
The recommended number of scanning threads depends on the number of scanning processes specified in ScannersCount
: the value of ThreadsCount
is twice the value of ScannersCount
. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor and ScannersCount
is set to 4
, set ThreadsCount
to 8
.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Sessions.
When specifying the maximum number of simultaneous connections to Kaspersky Scan Engine, consider the following:
ThreadsCount
).QueueLen
).This means that the greater the number of active connections, the faster all scanning threads are getting occupied and, as a result, the longer the queue is for scan tasks.
The recommended MaxIcapSessionsCount
value is:
ScannersCount
value.ThreadsCount
value.See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
The length of the scan task queue must not be less than the number of scanning threads (ThreadsCount
). Otherwise, some scanning threads will never be in use.
Since scan tasks are enqueued from all open sessions, it is necessary to consider the MaxIcapSessionsCount
value. The scan task queue must not be less than MaxIcapSessionsCount
. Otherwise, some clients will receive a 503 - Service overloaded
error when trying to open a session.
The recommended QueueLen
value is:
ThreadsCount
value.MaxIcapSessionsCount
value.See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
If Kaspersky Scan Engine receives a lot of large objects to scan or a lot of simultaneous requests, the program can frequently stop request processing due to excessive consumption of system memory. When request processing stops, Kaspersky Scan Engine writes one of the following messages to the log file: Can't accept request: Not enough memory!
or Can't accept new request: Not enough memory!
The clients receive the 503 - Service overloaded
error message.
We recommend that you limit the maximum amount of system memory to prevent its excessive consumption. When this limit is exceeded, Kaspersky Scan Engine stops scanning objects.
The recommended RAMUsageLimit
value:
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Skip large objects.
When specifying the maximum size of a file that Kaspersky Scan Engine can scan, consider the RAMUsageLimit
value: ScanMaxFileSize
must not be greater than RAMUsageLimit
. To improve Kaspersky Scan Engine performance, set ScanMaxFileSize
to 10343 KB (10.1 MB). This is the recommended value because it is sufficient to detect most malware.
If you have followed the recommendation above, we also recommend consulting with your Technical Account Manager (TAM) once a year to get an updated recommended value, as the average malware size changes from year to year.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Types of files to scan and Settings > Scanning > Heuristic analysis level.
The recommended value for ScanningMode
is the following:
KAV_O_M_PACKED | KAV_O_M_ARCHIVED | KAV_O_M_MAILPLAIN | KAV_O_M_MAILBASES | KAV_O_M_HEURISTIC_LEVEL_SHALLOW
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Object scan timeout.
The recommended value for ScanTimeout
is 10000
(10 seconds).
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Maximum depth.
We recommend that you limit the maximum depth of nested archives to be unpacked during scanning. The recommended value for MaxArchivesScanningDepth
is 5
.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Scan scope in Request mode.
The recommended value for ScanInReqMode
is URL
. If this value is specified, Kaspersky Scan Engine scans only the requested URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Scan scope in Response mode.
The recommended value for ScanInRespMode
is Content
. If this value is specified, Kaspersky Scan Engine scans the HTTP message body.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service, the Partial mode block of settings.
This parameter prevents the client from interrupting the connection to the proxy server due to a timeout. This may happen when a client sends a large object to scan and could not wait for the scanned object to be received.
The recommended value for TransferBeforeScanEnding
is 1
(enable). It is also recommended to use the default attributes:
Delay
: 10
ChunkSize
: 4
The value must be at least several times less than ScanMaxFileSize
(see above).
BlockedUrlCacheEnabled
: 1
BlockedUrlCacheKb
: 5000
BlockedUrlCacheTtlSec
: 1800
See also the detailed description of these attributes.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Enable reputation checking.
We recommend enabling the use of data from KSN (Kaspersky Security Network). This provides faster responses to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
To enable KSN, set UseKSN
to 1
.
If KSN is enabled, it is also recommended to enable Phishing Protection by using one of the following ways:
KAV_O_M_PHISHING
flag.Phishing Protection is useful when Kaspersky Scan Engine checks URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Keep-alive.
We recommend enabling Keep-Alive. When Keep-Alive is enabled, Kaspersky Scan Engine maintains a persistent connection even after the request has been processed and the session timed out. This gives the following advantages:
Keep-Alive is especially useful for HTTPS connections that require more CPU time and more client-server interactions.
To enable Keep-Alive, set the Enabled element in KeepAliveSettings
to 1
.
To determine the values for TimeoutMs and MaxRequests, estimate the number of clients and the number of requests from clients.
For example, you have estimated that the maximum number of clients is 50, so you set MaxICAPSessionsCount
to 50
. If TimeoutMs
and MaxRequests
are unlimited, and all 50 clients send requests continuously, Kaspersky Scan Engine maintains connections with these 50 clients without limits. As a result, new connections cannot be established.
Another example. You have estimated that the maximum number of clients is 50, so you set MaxICAPSessionsCount
to 50
. You have also estimated that the maximum number of requests from one client is 15, so you set MaxRequests
to 15
. If you did not set the limit for TimeoutMs
, and clients do not send 15 requests, Kaspersky Scan Engine maintains connections with these 50 clients without limits, so new connections cannot be established.
Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings
Let's say Kaspersky Scan Engine is installed on a computer with four CPU cores, there are 140 simultaneous connections to this computer, and Kaspersky Scan Engine is configured as follows:
In this case:
429: Too many requests
.If the QueueLen
value limits the queue length to less than 200 tasks, the rest of the clients will receive the error 500 - Internal Server Error
.
If 500: Internal Server Error
is returned to the client, it may mean that the queue length limit specified in QueueLen
has been reached. In this case, you can do one of the following:
MaxIcapSessionsCount
.Before decreasing MaxIcapSessionsCount
, evaluate your solution scalability needs. If MaxIcapSessionsCount
is decreased, all clients over the number specified in MaxIcapSessionsCount
will be unable to create a session and will receive the error 429: Too many requests
.
QueueLen
.Before increasing QueueLen
, evaluate your solution scalability needs. If the QueueLen
is too large and the bandwidth is low, the request processing time can increase so much that the client is disconnected before Kaspersky Scan Engine finishes processing the request.
If 503: Service overloaded
is returned to the client, it may mean that the system memory consumption limit has been reached while the request was being processed (the log contains the record Not enough memory
). In this case, increase the RAMUsageLimit
value.