Enabling or disabling real-time scanning of ICAP traffic

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

You can enable or disable real-time scanning of ICAP traffic if integration with a proxy server via ICAP is enabled.

If real-time scanning of ICAP traffic is enabled, Kaspersky Anti Targeted Attack Platform sends information about scanned objects to the ICAP client in real time. This helps prevent downloading malicious objects and clicking untrusted links.

To enable or disable real-time scanning of ICAP traffic:

  1. Select the Sensor servers section in the window of the application web interface.
  2. Click the card of the relevant Sensor component.

    This opens a window with information about the component.

  3. Click Edit.
  4. Go to the ICAP integration with proxy server tab.
  5. Under Real-time scanning, select one of the following options:
    • Disabled

      If you select this option, real-time scanning of ICAP traffic is disabled. This option is selected by default.

    • Enabled, standard ICAP traffic scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files remain available while they are being scanned by the Sandbox component.

    • Enabled, advanced ICAP traffic scanning.

      When this type of scan is enabled, the reputation of files and URLs is checked against the knowledge base of Kaspersky Security Network, and files are scanned by the Sandbox component and Anti-Malware Engine and YARA modules. The files are unavailable while they are being scanned by the Sandbox component.

  6. Under Extract user name:

    If you want to get the user name from the ICAP server, set the Extract user name toggle switch field to Enabled. If you need to use Base64 decoding, select the Use Base64 decoding check box.

  7. Click Save.

Real-time scanning of ICAP traffic is enabled or disabled.

If you disable proxy server integration, ICAP traffic scanning is also disabled, even if it was previously enabled. The scan settings are preserved, and the next time you enable the proxy server integration, ICAP traffic scanning is re-enabled.

To optimize workload, the application may temporarily switch from advanced ICAP traffic scanning mode to standard scanning mode In this case, files obtained from ICAP traffic and sent for scanning to Sandbox can still be downloaded. When a threat is detected in scanned files, the application creates an alert. Scanning files by the Anti-Malware Engine and YARA modules continues to work normally.

Page top