Rules define the behavior of Kaspersky Scan Engine in ICAP mode. These rules are listed in a service rules configuration file located in the /opt/kaspersky/ScanEngine/icap_data/
directory. The location of this file is specified in the RulesFilePath
parameter of the ICAP mode configuration file. A sample configuration file, kavicapd_gui_rules.conf, is included in the distribution kit.
Each rule listed in the configuration file must be placed on a separate line.
Rule syntax
A kavicapd
service rule consists of three parts:
Possible values:
REQ
Request modification (REQMOD) mode
RESP
Response modification (RESPMOD) mode
ANY
Any of the modes listed above
Possible values are listed below.
Possible values:
NON_SCANNED
The object was not scanned.
FAILED
Scan failed.
PHISHING
A phishing web address is detected.
DETECT
The scanned object or URL is infected.
MACRO
A Microsoft Office document containing a macro is detected.
CLEAN
The scanned object is clean (non-infected).
Possible values:
SET_RESP=<response_template>
Kaspersky Scan Engine sends an HTML response template with the specified name to a proxy server.
EXEC_CMD=<script>
Kaspersky Scan Engine executes a script with the specified name.
NONE
Kaspersky Scan Engine does not modify the scanned object.
If the Kaspersky Scan Engine response is not specified in a rule, the default value of NONE
is used.
Understanding scan results
In ICAP mode, Kaspersky Scan Engine scans both HTTP traffic and web addresses requested by users. Scan results are ranked by severity, with the most severe result having the rank of 1
. The following list shows the ranking of supported scan results by severity:
PHISHING
DETECT
MACRO
NON_SCANNED
FAILED
CLEAN
If a traffic scan and a URL scan produce different scan results, the result with the highest severity level is chosen as the summary scan result. If both scan results are DETECT
, the summary scan result is also DETECT
, and the name of the detected object returned by Kaspersky Scan Engine is taken from the result of a URL scan. The scan results used in service rules are summary scan results.
Sample rules
Below are a few sample rules that you can specify:
RESP DETECT SET_RESP=detect_resp EXEC_CMD=admin_notify RESP FAILED SET_RESP=err_resp REQ FAILED EXEC_CMD=admin_notify REQ CLEAN |