Configuring service rules

Rules define the behavior of Kaspersky Scan Engine in ICAP mode. These rules are listed in a service rules configuration file located in the /opt/kaspersky/ScanEngine/icap_data/ directory. The location of this file is specified in the RulesFilePath parameter of the ICAP mode configuration file. A sample configuration file, kavicapd_gui_rules.conf, is included in the distribution kit.

Each rule listed in the configuration file must be placed on a separate line.

Rule syntax

A kavicapd service rule consists of three parts:

• ICAP mode

  Possible values:

  • REQ

    Request modification (REQMOD) mode

  • RESP

    Response modification (RESPMOD) mode

  • ANY

    Any of the modes listed above

• Scan result

  Possible values are listed below.

  Possible values:

  • NON_SCANNED

    The object was not scanned.

  • FAILED

    Scan failed.

  • PHISHING

    A phishing web address is detected.

  • DETECT

    The scanned object or URL is infected.

  • MACRO

    A Microsoft Office document containing a macro is detected.

  • CLEAN

    The scanned object is clean (non-infected).

• Response of Kaspersky Scan Engine in ICAP mode

  Possible values:

  • SET_RESP=<response_template>

    Kaspersky Scan Engine sends an HTML response template with the specified name to a proxy server.

  • EXEC_CMD=<script>

    Kaspersky Scan Engine executes a script with the specified name.

  • NONE

    Kaspersky Scan Engine does not modify the scanned object.

  If the Kaspersky Scan Engine response is not specified in a rule, the default value of NONE is used.

Understanding scan results

In ICAP mode, Kaspersky Scan Engine scans both HTTP traffic and web addresses requested by users. Scan results are ranked by severity, with the most severe result having the rank of 1. The following list shows the ranking of supported scan results by severity:

1. PHISHING
2. DETECT
3. MACRO
4. NON_SCANNED
5. FAILED
6. CLEAN

If a traffic scan and a URL scan produce different scan results, the result with the highest severity level is chosen as the summary scan result. If both scan results are DETECT, the summary scan result is also DETECT, and the name of the detected object returned by Kaspersky Scan Engine is taken from the result of a URL scan. The scan results used in service rules are summary scan results.

Sample rules

Below are a few sample rules that you can specify:

RESP DETECT SET_RESP=detect_resp EXEC_CMD=admin_notify RESP FAILED SET_RESP=err_resp REQ FAILED EXEC_CMD=admin_notify REQ CLEAN

Page top