Data Loss Prevention

 View Only

  • 1.  ICAP Reqmod would only trigger AV scan, but not DLP scan

    Posted Jun 27, 2017 10:55 AM

    Hello, we are building a ICAP scan client and we wrote our program based on integration with Symanec Scan Engine and its development document. However customer has  Symantec Data Loss Protection Web Prevent. Based on ICAP protocol, it looks like that we have implemented ICAP correctly, however it only triggers AV scan but not DLP scan when requests sent to DLP Web Prevent. here is a sample request:

    REQMOD icap://<server>:1344/reqmod ICAP/1.0
Host: <server>:1344
Connection: close
Encapsulated: req-hdr=0, req-body=123

POST testfile.txt HTTP/1.1
Host: 10.2.30.30
Accept: text/html, text/plain
Accept-Encoding: compress
Pragma: no-cache

<file content>

    Here is the scan result we got:

    Finish Scan Document:testfile.txt, Detail:Scan File:testfile.txt,Status:CLEAN,Tota
l Infection:0,Definition Date:6/27/2017 12:00:00 AM,Definition Rev Number:001;
ConnectionHost:10.2.30.30,ConnectionPort:1344,ConnectionStatus:ERR_SUCCESSFUL_CO
NN;CLEAN,IsPassed:True

    Just wonder what we did wrong here.  It would be really appreciated if anyone could shed some lights about what we could do to trigger the DLP scan on "DLP Web Prevent".  Thanks very much in advance.

     

     



  • 2.  RE: ICAP Reqmod would only trigger AV scan, but not DLP scan

    Trusted Advisor
    Posted Jun 27, 2017 02:20 PM

    It looks like you have more than 1 application running on the DLP Web Prevent server that is using ICAP.

    DLP Web Prevent does NOT have an AV component.

    So this is either a configuration issue on the proxy side, where it is sending information for AV scan and then where it is sending data for a DLP scan.

    These are 2 different issues.

    What proxy are you using and what AV? I think this is really a Proxy config issue.



  • 3.  RE: ICAP Reqmod would only trigger AV scan, but not DLP scan

    Posted Jun 27, 2017 03:06 PM

    Thanks very much for the insights. From what we heard from customer, they are not using any Proxy. And three is no antivirus for ICAP interface as well. One thing that our use case is not for browser traffic. Our program is C# ICAP client so it should be able to send request directly to "Network Prevent for Web" without going through the proxy right? Or Proxy is a must here? Is there any logs or flags we could turn on at "Network Prevent for Web" to see more information. Right now, there are no logs eched out at server side, thus we have no idea what's going on at server side. Thanks again.

    DLPNetworkPreventForWeb.png



  • 4.  RE: ICAP Reqmod would only trigger AV scan, but not DLP scan

    Trusted Advisor
    Posted Jun 27, 2017 07:34 PM

    So you are trying the use the DLP Web Prevent without a Proxy!

    You are not using the system as it was intended, so you are outside of the realm of using the system as designed.

    If they are using a ICAP client then the client is probably not sending the right ICAP information to DLP.

    DLP expects very SPECIFIC calls and transmissions of ICAP protcol data and requests from a PROXY via ICAP NOT a random client.

    Again, your issue is the C# ICAP client is NOT configured to properly communicate with a DLP ICAP server. It's probably configured for ICAP communcation for AV ICAP.

    You will need to understand more about ICAP and the client should have more information for you.. not SYMC DLP.

    At this point you are on your own, as it is NOT a supported integration.



  • 5.  RE: ICAP Reqmod would only trigger AV scan, but not DLP scan

    Posted Jun 28, 2017 12:59 PM

    Thanks for the clarification.  As for this "DLP expects very SPECIFIC calls and transmissions of ICAP protcol data and requests from a PROXY via ICAP", that would mean that there are some documents from Symantec to those Proxy Vendors about what specific calls the Network Prevent are expecting?  If we have such documents, we could modify our client program to send the requests in that required format.

    We already programmed against ICAP and we did not see anything in the ICAP spec which talks about the difference between a AV scan or DLP scan unless Symantec has its own custimization on top of general ICAP protocol which we did see in some places as well.

     

    We talked with our customer and they are thinking about deploying the proxy as well. I guess for our client program, it is still a challenge for how to send file to proxy though since the contents we need to scan is not triggered by end user at the browser access. Rather, it is some workflow internally to trigger the DLP scan. Could that proxy work as both reverse proxy and also forward proxy and trigger ICAP scan on both cases? For reverse proxy, it seems that we would need to be able to access what ever files URL in the internal system we want to scan from proxy.  It may not work though since internal system URL won't resolve to that proxy and may not allow access from proxy. For forward proxy, it would be easy, we could add the proxy to our code and then send the http request to internal system by having that proxy in our C# http request.  If you have any related information here, please let us know.

     

    Again, thanks very much for your time and your expertise. It is really appreciated.

     

     

     



  • 6.  RE: ICAP Reqmod would only trigger AV scan, but not DLP scan

    Trusted Advisor
    Posted Jul 06, 2017 05:07 PM

    Here are some document that might point you in the right direction.. 

    Please marked solved when possible..

    Attachment(s)

    pdf
    Generic_ICAP_Integation.4.pdf   1.74 MB 1 version
    docx
    Test ICAP.docx   23 KB 1 version