Content Integrity Control Tab
The Content Integrity Control Action is used to send a file to an antivirus scanner or data loss prevention solution for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for processing. When the file passes, other Actions can occur, such as moving the file to another location. If the file fails, processing can stop, or other Actions can occur, such as sending an email notification.
To create a profile to be used in the Content Integrity Control Action
-
Click Add. The tab becomes editable.
-
Profile name - Provide a descriptive name for the profile
-
Host, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.
-
The Host field cannot be blank.
-
By default, the port is set to 1344.
-
-
Mode - Specify one of the following:
-
Request modification (REQMOD) - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.
-
Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.
-
-
Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution.
-
Limit scans to first - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first X bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the size you've specified, the entire file will be transferred for processing.
-
Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.
-
Text in ICAP body - (Optional) Specify text to search for in the ICAP response body text.
-
Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.
-
Always audit these ICAP response "X-" headers - (Optional) Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.
-
Click Apply to save the new profile. The new profile name appears in the Profiles list and is now available in the Content Integrity Control dialog box in Content Integrity Control Action.
To remove a profile
-
To remove a profile, select its name in the list, and then click Remove.