Support

Support for business applications

Kaspersky Scan Engine

Using Kaspersky Scan Engine in ICAP mode

Configuring Kaspersky Scan Engine in ICAP mode

Configuring service rules
Kaspersky Scan Engine
Нет результатов
Knowledge Base Online Help
FAQ System requirements Forum Contact support Recovery tools Product videos

Configuring service rules

March 5, 2024

ID 179893

Rules define the behavior of Kaspersky Scan Engine in ICAP mode. These rules are listed in a service rules configuration file located in the /opt/kaspersky/ScanEngine/icap_data/ directory. The location of this file is specified in the RulesFilePath parameter of the ICAP mode configuration file. A sample configuration file, kavicapd_gui_rules.conf, is included in the distribution kit.

Each rule listed in the configuration file must be placed on a separate line.

Rule syntax

A kavicapd service rule consists of three parts:

  • ICAP mode

    Possible values:

    • REQ

      Request modification (REQMOD) mode

    • RESP

      Response modification (RESPMOD) mode

    • ANY

      Any of the modes listed above

  • Scan result

    Possible values are listed below.

    Possible values:

    • NON_SCANNED

      The object was not scanned.

    • FAILED

      Scan failed.

    • PHISHING

      A phishing web address is detected.

    • DETECT

      The scanned object or URL is infected.

    • MACRO

      A Microsoft Office document containing a macro is detected.

    • CLEAN

      The scanned object is clean (non-infected).

  • Response of Kaspersky Scan Engine in ICAP mode

    Possible values:

    • SET_RESP=<response_template>

      Kaspersky Scan Engine sends an HTML response template with the specified name to a proxy server.

    • EXEC_CMD=<script>

      Kaspersky Scan Engine executes a script with the specified name.

    • NONE

      Kaspersky Scan Engine does not modify the scanned object.

    If the Kaspersky Scan Engine response is not specified in a rule, the default value of NONE is used.

Understanding scan results

In ICAP mode, Kaspersky Scan Engine scans both HTTP traffic and web addresses requested by users. Scan results are ranked by severity, with the most severe result having the rank of 1. The following list shows the ranking of supported scan results by severity:

  1. PHISHING
  2. DETECT
  3. MACRO
  4. NON_SCANNED
  5. FAILED
  6. CLEAN

If a traffic scan and a URL scan produce different scan results, the result with the highest severity level is chosen as the summary scan result. If both scan results are DETECT, the summary scan result is also DETECT, and the name of the detected object returned by Kaspersky Scan Engine is taken from the result of a URL scan. The scan results used in service rules are summary scan results.

Sample rules

Below are a few sample rules that you can specify:

RESP DETECT SET_RESP=detect_resp EXEC_CMD=admin_notify

RESP FAILED SET_RESP=err_resp

REQ FAILED EXEC_CMD=admin_notify

REQ CLEAN

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.