In ‘Request’ mode, the ICAP server can pass more than the simple Pass / Fail message and can include additional information such as the name of the virus or the reason why the file has ‘failed’ the scan. Some of the more recent scanners can now also redact (clean up) a file and pass it back to EFT to be processed. This could be by removing any malicious content, or obfuscating data which is not allowed to be sent – eg: bank details – making it unintelligible. This latter option is useful to protect personal data leaving a network, making sure you comply with GDPR.
ICAP connections are configured as a server-wide profile and scans are usually executed as a part of an event rule.
Checking for incoming viruses
Incoming files are usually passed to an AV ICAP scanner to ensure they are ‘Clean’. This is often done as a ‘File Upload’ rule which passes any uploaded file to the ICAP Scanner. Caution should be taken with large files or slow scans as, due to the mechanics of the ‘File Upload’ Event, responses to uploading clients can be delayed for the duration of the scan. If the scan takes longer than the timeout for the uploading client, then it is possible the client will see the upload as unsuccessful and may retry. If this is the case, it is recommended to extend the timeout period on the client to allow for the extended processing time.
Checking outgoing files
As mentioned, Event Rules can also be used to check outbound files before they are allowed to leave the network – normally this would be a DLP check, but there may also be an AV scan too. When passing any files to ICAP, you may define and select from a number of profiles which will allow for different security rules to be applied in different scenarios. For example, you may code one set of rules for transfer to a bank, and a different set of rules for a shipping company. Using different rules may also help you address issues with larger files. ICAP scanners which support redaction can be used to change files which contain sensitive information. For example if a file contains credit card numbers, it could be redacted to replace the first 12 digits with Xs making the credit card number appear as “XXXX XXXX XXXX 1234”.
AntiVirus ICAP scanners supported by EFT are
DLP ICAP scanners supported by EFT are:
In addition to these, EFT should be able to communicate with any solution which uses the ICAP protocol. Pro2col have also tested Clearswift, which has AntiVirus and DLP capabilities built into a single solution.
If you are interested in finding out more about ICAP scanning with EFT, or would like support getting it up and running in your organisation, please get in touch.