Configuring service rules

Rules define the behavior of Kaspersky Scan Engine in ICAP mode. These rules are listed in a service rules configuration file located in the /opt/kaspersky/ScanEngine/icap_data/ directory. The location of this file is specified in the RulesFilePath parameter of the ICAP mode configuration file. A sample configuration file, kavicapd_gui_rules.conf, is included in the distribution kit.

Each rule listed in the configuration file must be placed on a separate line.

Rule syntax

A kavicapd service rule consists of three parts:

Understanding scan results

In ICAP mode, Kaspersky Scan Engine scans both HTTP traffic and web addresses requested by users. Scan results are ranked by severity, with the most severe result having the rank of 1. The following list shows the ranking of supported scan results by severity:

  1. PHISHING
  2. DETECT
  3. MACRO
  4. NON_SCANNED
  5. FAILED
  6. CLEAN

If a traffic scan and a URL scan produce different scan results, the result with the highest severity level is chosen as the summary scan result. If both scan results are DETECT, the summary scan result is also DETECT, and the name of the detected object returned by Kaspersky Scan Engine is taken from the result of a URL scan. The scan results used in service rules are summary scan results.

Sample rules

Below are a few sample rules that you can specify:

RESP DETECT SET_RESP=detect_resp EXEC_CMD=admin_notify

RESP FAILED SET_RESP=err_resp

REQ FAILED EXEC_CMD=admin_notify

REQ CLEAN

Page top