Content Integrity Control Tab

Content Integrity Control is used to send a file to an antivirus scanner or data loss prevention solution for processing. When a File Scan Action is added, a file that triggers the Event Rule is sent to an ICAP server for processing. When the file passes, other Actions can occur, such as moving the file to another location. If the file fails, processing can stop, or other Actions can occur, such as sending an email notification.  

To create a profile to be used in the Content Integrity Control Action

  1. In the administration interface, connect to EFT and click the Server tab.

  2. On the Server tab, click the node of the Site you want to configure.

  3. In the right pane, click the Content Integrity Control tab.

  4. Click Add. The tab becomes editable.

  5. Profile name - Provide a descriptive name for the profile

  6. Host, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.

    • The Host field cannot be blank.

    • By default, the port is set to 1344.

  7. Mode - Specify one of the following:

    • Request modification (REQMOD) - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.

    • Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.

  8. Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution.

  9. Limit scans to first - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first X bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the size you've specified, the entire file will be transferred for processing.

  10. (Optional; EFT v8.0.5 and later) Headers -  Only set these values if needed for problematic ICAP connections. These headers are used in the ICAP server logs.

    • HTTP host - The EFT site's local host address (do not use "localhost")

    • X-Client-IP, X-Server-IP, X-Subscriber-ID, X-Authenticated Groups - Blank by default

    • X-Authentication User - Provide a string with variables.

      • LDAP - Example: "LDAP://pdc/samaccountName=%LOGIN.LOGIN%,DC=s5development,DC=local"

      • AD - Examples: WinNT://{NetBIOSDomainName/sAMAccountName}, WinNT://pdc/s5dev\arybin

      • Other - Examples: Local://%USER.LOGIN%, Local://%SERVER.NODE_NAME%

      • User can override and use context variables if desired as field elements. EFT will base-64 encode.

  11. Under Response Handling in v8.0.4 and earlier

    • Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.

    • Text in ICAP body - (Optional) Specify text to search for in the ICAP response body text.

    • Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.

    Note the difference between "ICAP Header" and "HTTP Header." The ICAP Header is a header with service information EFT sends to the ICAP server. The HTTP header is a part of information EFT sends to ICAP for analysis. That is, the HTTP header will be analyzed, not the ICAP header. The HTTP header is shown in ICAP log files.

  12. Under Response handling in v8.0.5 and later, specify whether to content should be blocked when the following occur: Connection errors, HTTP errors, ICAP redactions.

  13. (Optional) Audit and put into variables these ICAP response "X-" headers ("and put into variables" was added in v8.0.5) - Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.

  14. Click Apply to save the new profile. The new profile name appears in the Profiles list and is now available in the Content Integrity Control dialog box in Content Integrity Control Action.

To remove a profile

  • To remove a profile, select its name in the list, and then click Remove.

Related Topics