Enabling or disabling real-time scanning of ICAP traffic

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic on a server with the Central Node and Sensor components installed:

  1. Select the Sensor servers section in the window of the application web interface.

    The Server list table will be displayed.

  2. Click the localhost Sensor component.
  3. Select the ICAP integration with proxy server section.

    When integration is enabled in the Settings > <Sensor server name>, the Real-time scanning section is displayed.

  4. Under Real-time scanning, select one of the following options:
    • Disabled.

      If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

    • Enabled, standard ICAP traffic scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

    • Enabled, advanced ICAP traffic scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

  5. Click Apply.
  6. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, the Host field displays the URL of the Request Modification (REQMOD) service that processes outbound traffic in the following format: icap://<host>:1344/av/reqmod, where <host> is the IP address of the server where the Sensor component is installed. To configure integration with Kaspersky Anti Targeted Attack Platform, copy this URL and paste it in the settings of the proxy server that your organization used.

Real-time scanning of ICAP traffic is enabled or disabled.

To enable or disable real-time scanning of ICAP traffic on an individual server with the Sensor component installed:

  1. Enter the management console of the Sensor server via the SSH protocol or through a terminal.
  2. When the system prompts you, enter the administrator user name and the password that was set during the installation of the application.

    This opens the settings menu for the Sensor component. If the menu does not open, enter the kata-admin-menu command and press ENTER.

  3. Go to the Program settings → Configure ICAP integration section.

    To select a row, you can use the ↑, ↓, and ENTER keys. The selected row is highlighted in red.

  4. This opens a window; in that window, make sure that [x] is displayed to the right of the Enabled setting.
  5. Select one of the following options:
    • Disable real-time scanning.

      If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

    • Standard ICAP scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Anti-Malware Engine and YARA modules.

    • Advanced ICAP scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules.

  6. Select an option and press ENTER. (O) is displayed to the right of the selected option.

    To select a row, you can use the ↑ and ↓ keys. The selected row is highlighted in red.

  7. If you enabled real-time scanning of ICAP traffic and enabled the advanced scanning mode or the standard scanning mode, specify the URL from the REQMOD field in the settings of your proxy server.

Real-time scanning of ICAP traffic on an individual server with the Sensor component is enabled or disabled.

If you enabled real-time scanning of ICAP traffic, scanning does not work if integration with the proxy server is disabled. All ICAP traffic scanning settings are saved. When you re-enable integration with the proxy server, ICAP traffic scanning is also enabled.

Page top