Protection Engine for Cloud Services

 View Only
  • 1.  Symantec Protect Engine

    Posted Mar 02, 2015 01:37 PM

    Hi,

    I am currently testing the trial version of symantec protection engine. I am not sure about the response i am sending to the server.

    For a clean file the response is

    ICAP/1.0 204 No Content Necessary
    ISTag: "B41A93E53F1B67B8551C585752E74D89"
    Date: Mon Mar 02 18:34:47 2015 GMT
    Service: Symantec Protection Engine/7.5.1.5
    Service-ID: Respmod AV Scan

    ICAP/1.0 204 No Content Necessary
    ISTag: "B41A93E53F1B67B8551C585752E74D89"
    Date: Mon Mar 02 18:34:47 2015 GMT
    Service: Symantec Protection Engine/7.5.1.5
    Service-ID: Respmod AV Scan
    X-Outer-Container-Is-Mime: 0

    For a infected file with dummy virus the response is like

    ICAP/1.0 200 OK
    ISTag: "B41A93E53F1B67B8551C585752E74D89"
    Date: Mon Mar 02 17:23:31 2015 GMT
    Service: Symantec Protection Engine/7.5.1.5
    Service-ID: Respmod AV Scan
    X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test String;
    X-Violations-Found: 1
            test.txt
            EICAR Test String
            11101
            0
    X-Outer-Container-Is-Mime: 0

    ICAP/1.0 200 OK
    ISTag: "B41A93E53F1B67B8551C585752E74D89"
    Date: Mon Mar 02 17:23:31 2015 GMT
    Service: Symantec Protection Engine/7.5.1.5
    Service-ID: Respmod AV Scan
    X-Infection-Found: Type=0; Resolution=0; Threat=EICAR Test String;
    X-Violations-Found: 1
            test.txt
            EICAR Test String
            11101
            0
     

     

    please let me know what is the meaning of status 200 and 204 and how to know if the file is clean?

     

    Thanks

    Shriram



  • 2.  RE: Symantec Protect Engine

    Broadcom Employee
    Posted Mar 09, 2015 11:39 AM

    Those are the ICAP status codes. They cannot be used to indicate if there is a virus or not becuase they just deal with the flow of ICAP traffic. You need to read the response to know if there is a virus. EICAR is not a dummy virus, it is a test string. A dummy virus would be an infected file without a payload.

    You can see a complete list of these codes and their meanings on page 376 of the Implementation Guide: http://www.symantec.com/business/support/index?page=content&id=DOC7746