Recommended settings for ICAP mode
March 5, 2024
ID 225528
This section describes the recommended settings for Kaspersky Scan Engine in ICAP mode.
If you use the Kaspersky Scan Engine GUI, specify the recommended parameters as described in the table below.
Recommended settings for ICAP mode in the Kaspersky Scan Engine GUI
Settings in the Kaspersky Scan Engine GUI | Recommended settings |
|---|---|
Service > Processes | Equal to the number of processor cores |
Service > Threads | Twice the value of |
Service > Sessions | See the description of |
Service > Partial mode | On |
Service > Delay | 10 |
Service > Chunk size | 4 |
Service > Prevent re-downloading | On |
Service > Maximum cache size | 5000 |
Service > Lifetime for blocked URLs | 1800 |
Service > Keep-alive | See the description of |
Scanning > Skip large objects | On 10343 KB (10.1 MB) Get an updated value from your TAM at least once a year. |
Scanning > Types of files to scan | Select the checkboxes:
|
Scanning > Heuristic analysis level | Low |
Scanning > Object scan timeout | 10000 (10 seconds) |
Scanning > Maximum depth | 5 |
Scanning > Scan scope in Request mode | URL (scans only the requested URLs) |
Scanning > Scan scope in Response mode | Files |
Scanning > Enable reputation checking | See the description of |
If you do not use the Kaspersky Scan Engine GUI, specify the recommended parameters in the kavicapd.xml configuration file as described in the table below.
Recommended settings for ICAP mode in the configuration file
Parameter in kavicapd.xml | Recommended settings |
|---|---|
ScannersCount | Equal to the number of processor cores |
ThreadsCount | Twice the value of |
MaxIcapSessionsCount | See the description of |
QueueLen |
|
RAMUsageLimit |
|
ScanMaxFileSize | 10343 KB (10.1 MB) Get an updated value from your TAM at least once a year. |
ScanningMode | Specify the flags:
|
ScanTimeout | 10000 (10 seconds) |
MaxArchivesScanningDepth | 5 |
ScanInReqMode |
|
ScanInRespMode |
|
TransferBeforeScanEnding |
|
Delay (Attribute of TransferBeforeScanEnding) | 10 |
ChunkSize (Attribute of TransferBeforeScanEnding) | 4 |
BlockedUrlCacheEnabled (Attribute of TransferBeforeScanEnding) | 1 |
BlockedUrlCacheKb (Attribute of TransferBeforeScanEnding) | 5000 |
BlockedUrlCacheTtlSec (Attribute of TransferBeforeScanEnding) | 1800 |
UseKSN | See the description of |
KeepAliveSettings | See the description of |
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Processes.
The recommended number of scanning processes is equal to the number of processor cores. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor, set ScannersCount to 4.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Threads.
The recommended number of scanning threads depends on the number of scanning processes specified in ScannersCount: the value of ThreadsCount is twice the value of ScannersCount. For example, if Kaspersky Scan Engine is running on a computer with a 4-core processor and ScannersCount is set to 4, set ThreadsCount to 8.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Sessions.
When specifying the maximum number of simultaneous connections to Kaspersky Scan Engine, consider the following:
- the maximum number of scanning threads (
ThreadsCount). - the maximum length of the queue for scan tasks (
QueueLen). - specifics of the ICAP mode: in general, kavicapd runs two threads for one scan task.
This means that the greater the number of active connections, the faster all scanning threads are getting occupied and, as a result, the longer the queue is for scan tasks.
The recommended MaxIcapSessionsCount value is:
- equal to the average number of ICAP client requests per minute.
- greater than the
ScannersCountvalue. - greater than the
ThreadsCountvalue. - exceeds the number of active processes used by the proxy server.
- exceeds the maximum number of connections from clients served by the proxy server that you use.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
The length of the scan task queue must not be less than the number of scanning threads (ThreadsCount). Otherwise, some scanning threads will never be in use.
Since scan tasks are enqueued from all open sessions, it is necessary to consider the MaxIcapSessionsCount value. The scan task queue must not be less than MaxIcapSessionsCount. Otherwise, some clients will receive a 503 - Service overloaded error when trying to open a session.
The recommended QueueLen value is:
- greater than the
ThreadsCountvalue. - at least twice the
MaxIcapSessionsCountvalue.
See also the subsection "Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings."
If Kaspersky Scan Engine receives a lot of large objects to scan or a lot of simultaneous requests, the program can frequently stop request processing due to excessive consumption of system memory. When request processing stops, Kaspersky Scan Engine writes one of the following messages to the log file: Can't accept request: Not enough memory! or Can't accept new request: Not enough memory! The clients receive the 503 - Service overloaded error message.
We recommend that you limit the maximum amount of system memory to prevent its excessive consumption. When this limit is exceeded, Kaspersky Scan Engine stops scanning objects.
The recommended RAMUsageLimit value:
- does not exceed the RAM size.
- is twice the maximum file size for scanning large files. For example, scanning a 1 GB file requires about 2 GB of RAM.
- is not less than 600 MB, which is twice the size of the anti-virus database and Kaspersky Scan Engine libraries (300 MB in total). The reason for doubling is that the amount of system memory is doubled when the database is reloaded.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Skip large objects.
When specifying the maximum size of a file that Kaspersky Scan Engine can scan, consider the RAMUsageLimit value: ScanMaxFileSize must not be greater than RAMUsageLimit. To improve Kaspersky Scan Engine performance, set ScanMaxFileSize to 10343 KB (10.1 MB). This is the recommended value because it is sufficient to detect most malware.
If you have followed the recommendation above, we also recommend consulting with your Technical Account Manager (TAM) once a year to get an updated recommended value, as the average malware size changes from year to year.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Types of files to scan and Settings > Scanning > Heuristic analysis level.
The recommended value for ScanningMode is the following:
KAV_O_M_PACKED | KAV_O_M_ARCHIVED | KAV_O_M_MAILPLAIN | KAV_O_M_MAILBASES | KAV_O_M_HEURISTIC_LEVEL_SHALLOW
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Object scan timeout.
The recommended value for ScanTimeout is 10000 (10 seconds).
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Maximum depth.
We recommend that you limit the maximum depth of nested archives to be unpacked during scanning. The recommended value for MaxArchivesScanningDepth is 5.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Scan scope in Request mode.
The recommended value for ScanInReqMode is URL. If this value is specified, Kaspersky Scan Engine scans only the requested URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Scan scope in Response mode.
The recommended value for ScanInRespMode is Content. If this value is specified, Kaspersky Scan Engine scans the HTTP message body.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service, the Partial mode block of settings.
This parameter prevents the client from interrupting the connection to the proxy server due to a timeout. This may happen when a client sends a large object to scan and could not wait for the scanned object to be received.
The recommended value for TransferBeforeScanEnding is 1 (enable). It is also recommended to use the default attributes:
Delay:10ChunkSize:4The value must be at least several times less than
ScanMaxFileSize(see above).BlockedUrlCacheEnabled:1BlockedUrlCacheKb:5000BlockedUrlCacheTtlSec:1800
See also the detailed description of these attributes.
This parameter in the Kaspersky Scan Engine GUI: Settings > Scanning > Enable reputation checking.
We recommend enabling the use of data from KSN (Kaspersky Security Network). This provides faster responses to threats, improves the performance of some protection components, and reduces the likelihood of false positives.
To enable KSN, set UseKSN to 1.
If KSN is enabled, it is also recommended to enable Phishing Protection by using one of the following ways:
- In the ScanningMode element of the kavicapd.xml configuration file, add the
KAV_O_M_PHISHINGflag. - On the Settings > Scanning page of the Kaspersky Scan Engine GUI, turn on the Enable Phishing Protection toggle switch.
Phishing Protection is useful when Kaspersky Scan Engine checks URLs.
This parameter in the Kaspersky Scan Engine GUI: Settings > Service > Keep-alive.
We recommend enabling Keep-Alive. When Keep-Alive is enabled, Kaspersky Scan Engine maintains a persistent connection even after the request has been processed and the session timed out. This gives the following advantages:
- reduce network traffic
- reduce the use of server resources
- reduce latency in processing requests
Keep-Alive is especially useful for HTTPS connections that require more CPU time and more client-server interactions.
To enable Keep-Alive, set the Enabled element in KeepAliveSettings to 1.
To determine the values for TimeoutMs and MaxRequests, estimate the number of clients and the number of requests from clients.
For example, you have estimated that the maximum number of clients is 50, so you set MaxICAPSessionsCount to 50. If TimeoutMs and MaxRequests are unlimited, and all 50 clients send requests continuously, Kaspersky Scan Engine maintains connections with these 50 clients without limits. As a result, new connections cannot be established.
Another example. You have estimated that the maximum number of clients is 50, so you set MaxICAPSessionsCount to 50. You have also estimated that the maximum number of requests from one client is 15, so you set MaxRequests to 15. If you did not set the limit for TimeoutMs, and clients do not send 15 requests, Kaspersky Scan Engine maintains connections with these 50 clients without limits, so new connections cannot be established.
Example of Kaspersky Scan Engine work in ICAP mode depending on the ScannersCount, ThreadsCount, QueueLen, and MaxIcapSessionsCount settings
Let's say Kaspersky Scan Engine is installed on a computer with four CPU cores, there are 140 simultaneous connections to this computer, and Kaspersky Scan Engine is configured as follows:
- ScannersCount = 4
- ThreadsCount = 8
- QueueLen = 200
- MaxIcapSessionsCount = 100
In this case:
- Kaspersky Scan Engine tries to open connections for all 140 clients. Generally, 100 sessions are guaranteed to be open. The remaining 40 clients will probably receive the error
429: Too many requests. - The open sessions form a queue of scanning tasks. Ideally, a queue of 200 tasks is guaranteed.
If the
QueueLenvalue limits the queue length to less than 200 tasks, the rest of the clients will receive the error500 - Internal Server Error. - Kaspersky Scan Engine runs four scanning processes.
- Four scanning processes create eight threads for simultaneous processing of eight scanning tasks from the queue. The remaining 192 scanning tasks are queued.
If 500: Internal Server Error is returned to the client, it may mean that the queue length limit specified in QueueLen has been reached. In this case, you can do one of the following:
- Decrease
MaxIcapSessionsCount.Before decreasing
MaxIcapSessionsCount, evaluate your solution scalability needs. IfMaxIcapSessionsCountis decreased, all clients over the number specified inMaxIcapSessionsCountwill be unable to create a session and will receive the error429: Too many requests. - Increase
QueueLen.Before increasing
QueueLen, evaluate your solution scalability needs. If theQueueLenis too large and the bandwidth is low, the request processing time can increase so much that the client is disconnected before Kaspersky Scan Engine finishes processing the request.
If 503: Service overloaded is returned to the client, it may mean that the system memory consumption limit has been reached while the request was being processed (the log contains the record Not enough memory). In this case, increase the RAMUsageLimit value.
