Rules allow you to specify response templates that can be returned in place of blocked web pages, and to specify scripts that can be executed upon detection, for example, to notify the system administrator.
The Kaspersky Scan Engine distribution package contains sample response templates and a sample script that sends information about an incident to syslog.
Working with response templates
Kaspersky Scan Engine is shipped with two sample response templates located in the /opt/kaspersky/ScanEngine/icap_data/templates directory: detect_req and detect_res. The detect_req template is returned when a threat or a type of legitimate software that can be used by intruders to damage a user's computer or personal data is detected in request modification (REQMOD) mode. The detect_res template is returned when a threat or a type of legitimate software that can be used by intruders to damage a user's computer or personal data is detected in response modification (RESPMOD) mode.
You can create custom response templates and configure Kaspersky Scan Engine to return them with the modified message. Like sample response templates, custom response templates can use a detection context that provides additional information to a user. For more information on the detection context, see subsection "Using the detection context in response templates and scripts" below.
Even though Kaspersky Scan Engine returns response templates in place of blocked web pages, some browsers may not display these templates, returning a 403 Forbidden HTTP status code instead.
Working with scripts
Kaspersky Scan Engine is shipped with a send_syslog script located in the /opt/kaspersky/ScanEngine/icap_data/scripts directory.
The send_syslog script displays a message about a detected object and redirects the message to logger.
You can create custom shell scripts and configure Kaspersky Scan Engine to execute them upon detection. Like the sample script, custom scripts can use the detection context that provides additional information to a user. For more information on the detection context, see subsection "Using the detection context in response templates and scripts" below.
Using the detection context in response templates and scripts
Response templates and scripts support the detection context. When a response template is displayed, context variables are replaced with values returned by Kaspersky Scan Engine. To use the detection context in a script, reference context variables as environment variables.
The following variables are supported in the detection context:
_VirusName_—Name of the detected object._DateTime_—Date and time of the incident (in the YYYY-MM-DD HH:MM:MS format)._ICAPDVersion_—Version of the ICAP plugin. _URL_—Requested URL.You can use the detection context in custom response templates and scripts.
Page top