Working with response templates and scripts

Rules allow you to specify response templates that can be returned in place of blocked web pages, and to specify scripts that can be executed upon detection, for example, to notify the system administrator.

The Kaspersky Scan Engine distribution package contains sample response templates and a sample script that sends information about an incident to syslog.

Working with response templates

Kaspersky Scan Engine is shipped with the following sample response templates located in the /opt/kaspersky/ScanEngine/icap_data/templates directory:

• detect_req

  This template is returned when a threat or a type of legitimate software that can be used by intruders to damage a user's computer or personal data is detected in request modification (REQMOD) mode.

• detect_res

  This template is returned when a threat or a type of legitimate software that can be used by intruders to damage a user's computer or personal data is detected in response modification (RESPMOD) mode.

• macro_req

  This template is returned when a Microsoft Office document file that contains a macro is detected in the request modification (REQMOD) mode.

• macro_resp

  This template is returned when a Microsoft Office document file that contains a macro is detected in the response modification (RESPMOD) mode.

You can create custom response templates and configure Kaspersky Scan Engine to return them with the modified message. Like sample response templates, custom response templates can use a detection context that provides additional information to a user. For more information on the detection context, see subsection "Using the detection context in response templates and scripts" below.

Even though Kaspersky Scan Engine returns response templates in place of blocked web pages, some browsers may not display these templates, returning a 403 Forbidden HTTP status code instead.

Working with scripts

Kaspersky Scan Engine is shipped with a send_syslog script located in the /opt/kaspersky/ScanEngine/icap_data/scripts directory.

The send_syslog script displays a message about a detected object and redirects the message to logger.

You can create custom shell scripts and configure Kaspersky Scan Engine to execute them upon detection. Like the sample script, custom scripts can use the detection context that provides additional information to a user. For more information on the detection context, see subsection "Using the detection context in response templates and scripts" below.

Custom scripts run in parallel threads. The maximum number of these threads is 100.

Using the detection context in response templates and scripts

Response templates and scripts support the detection context. When a response template is displayed, context variables are replaced with values returned by Kaspersky Scan Engine. To use the detection context in a script, reference context variables as environment variables.

The following variables are supported in the detection context:

• _VirusName_—Name of the detected object.
• _DateTime_—Date and time of the incident (in the YYYY-MM-DD HH:MM:MS format).
• _ICAPDVersion_—Version of the ICAP plug-in.
• _URL_—Requested URL.

You can use the detection context in custom response templates and scripts.