File Scan Action

File: Scan Action

The File: Scan Action is used to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification. EFT fully supports RFC3507 section-3.1 and section-4.8. EFT can adapt the outgoing response if the ICAP server indicates that adaptation is necessary.

How does File: Scan work in Event Rules?

The File: Scan Action allows ICAP clients to pass HTTP messages to ICAP servers to scan the file(s) in the Event Rule that is passing through EFT.

You can create reusable profiles on the Content Integrity Control Tab and you can also create a custom Content Integrity Control (CIC) profile as you need it, as described below.

See more information below regarding ICAP Options, Example of Scanning Metadata, Details of the RESPMOD messages, and Example of Workspace-Created Event Rule with File Scan Action.

Important info about how EFT uses the File Scan Action

Using the File Scan Action with encrypted files will not return an accurate result. Copy/move the files to a folder that is not encrypted to process with the ICAP server.
ICAP servers don't all offer the same features. The action was tested with:

Clearswift version 5
Symantec DLP version 14.5.0.24028
Kaspersky version 5.5

When using the action, EFT needs to use POST in HTTP requests. Refer to knowledgebase article https://kb.globalscape.com/KnowledgebaseArticle11375.aspx for information about enabling an advanced property.
File Uploaded and Workspace Created events are triggered after a file is uploaded and after a Workspace is created. Only after the event triggers will the action begin communication with the ICAP server, and then redacts the file, if needed. Therefore, there may be delays between when a Workspace is created and a file is redacted. Use the File Uploaded event to trigger the action, then use the File: Scan action and "Fail" to prevent the message from being sent. Use the Before Download event trigger to scan the file before it's downloaded.

To scan a file using the File: Scan Action

Create a new Event Rule, such as a Folder Monitor Event.
Add relevant Conditions.
Add the Content Integrity Control Action. For example:

In the Action, click either of the underlined/linked items. The Content Integrity Control dialog box appears.

Click the CIC Profile drop-down list to select a predefined profile, or select <Custom>.
File Path - Physical location of the file to send to the ICAP server; %FS.PATH% is the default. You can specify another variable or drive and UNC paths. Wildcards are unsupported.

% - Click the drop-down list if you want to specify other context variables:

Also scan any available metadata, if present - Metadata includes the field name of Workspaces send operations. Consult your ICAP server for detailed information. The check box is selected by default.

The context variables Workspace Subject (%WORKSPACE.SUBJECT%) and Workspace Message (%WORKSPACE.MESSAGE%) (see above) relate to this feature.

If you specified a <Custom> profile, complete the rest of the fields in the dialog box:

Host address, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.

The Host address field should be the URL of the ICAP server (the field cannot be blank).
By default, the port is set to 1344.

Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution. (In earlier versions, Test Connection doesn't work with %variable% in the connection field.)
Mode - Specify one of the following:

Request modification (REQMOD) - - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.
Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.

Limit scans to first n bytes - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first n bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the Max scan size, the entire file will be transferred for scanning.

Headers - (Optional) In v8.0.5 and later, only set these values if needed for problematic ICAP connections. Headers can be used to override the REQMOD/RESPMOD X-headers sent by EFT, to fine-tune the connection to the ICAP server. These headers are displayed in the ICAP server logs.

HTTP host - The EFT site's local host address (do not use "localhost"); The default is to show the EFT HTTP Host if supplied (not localhost), otherwise "www.origin-server.com"; If you override the Host value, then that value is used instead. The order is: user override value -> EFT HTTP Host if supplied (not localhost) -> or www.origin-server.com as last resort.
X-Client-IP - Blank by default
X-Server-IP - Blank by default
X-Subscriber-ID - Blank by default
X-Authentication User - Provide a string with variables.

LDAP - Example: "LDAP://pdc/samaccountName=%LOGIN.LOGIN%,DC=s5development,DC=local"
AD - Examples: WinNT://{NetBIOSDomainName/sAMAccountName}, WinNT://pdc/s5dev\arybin
Other - Examples: Local://%USER.LOGIN%, Local://%SERVER.NODE_NAME%

X-Authenticated Groups - Blank by default
User can override and use context variables if desired as field elements. EFT will base-64 encode.

Note the difference between "ICAP Header" and "HTTP Header." The ICAP Header is a header with service information EFT sends to the ICAP server. The HTTP header is a part of information EFT sends to ICAP for analysis. That is, the HTTP header will be analyzed, not the ICAP header. The HTTP header is shown in ICAP log files.

Under Response Handling:

In v8.0.5 and later: Specify whether to transfer should Continue or Fail when the following occur: Connection errors, HTTP errors, ICAP redactions.
In v8.0.4 and earlier:

Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.
Text in ICAP body - (Optional) Specify text to search for in the ICAP response body text.
Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.

Audit and put into variables these ICAP response "X-" headers - (Optional) Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.
Click OK to save the changes in the Event Rule. The name of the profile appears in the Event Rule Action.

Example of Workspace Created Event Rule with File Scan Action

Below is an example of a Workspace Created Event Rule with a File Scan Action and an if action failed action to Write to Event Log.

In this example, when a Workspace is created, the File Scan action uses the Clearswift profile to scan any files in that Workspace when it was created. If the scan finds any ICAP violation or redactions, it writes the information to the Windows Event Log. A file in the Workspace named BadCreditCard.txt contains a credit card number, which will fail the File Scan.

The profile was configured to work with a Clearswift ICAP server.

Details of the RESPMOD messages using Wireshark:

An example of EFT sending the Option method to a Clearswift ICAP server and the ICAP response:

Subject of a message sent with a file:

RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
Host: 192.168.100.79
Allow: 204
X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
Encapsulated: req-hdr=0, res-hdr=58, res-body=162
         
GET /BadCreditCard.txt HTTP/1.1
Host: 192.168.100.151
         
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 14
Cache-Control: no-cache
         
e
Subject Matter
0
         
ICAP/1.0 204 No Content
Server: Traffic Spicer 2.4.0
ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"

Message sent with the file:

In the Wireshark readout, you can see the contents of the message:

411 1111 1111 1111
  Now is the time...

and then at the bottom of the file, you can see the credit card number was redacted:

**** **** **** ****
Now is the time 
...

RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0 Host: 192.168.100.79 Allow: 204 X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw== Encapsulated: req-hdr=0, res-hdr=58, res-body=162 GET /BadCreditCard.txt HTTP/1.1 Host: 192.168.100.151 HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 39 Cache-Control: no-cache 27 4111 1111 1111 1111 Now is the time ... 0

ICAP/1.0 200 OK Server: Traffic Spicer 2.4.0 ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter" X-Virus-ID: Credit Card Numbers X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers; X-Violations-Found: 1 BadCreditCard.txt Credit Card Numbers 0 1 Encapsulated: res-hdr=0, res-body=104 HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 39 Cache-Control: no-cache 27 **** **** **** **** Now is the time ... 0 File contents scanned and redacted: RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0 Host: 192.168.100.79 Allow: 204 X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw== Encapsulated: req-hdr=0, res-hdr=58, res-body=163 GET /BadCreditCard.txt HTTP/1.1 Host: 192.168.100.151 HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 341 Cache-Control: no-cache 155 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 4111 1111 1111 1111 fubar 0 ICAP/1.0 200 OK Server: Traffic Spicer 2.4.0 ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter" X-Virus-ID: Credit Card Numbers X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers; X-Violations-Found: 1 BadCreditCard.txt Credit Card Numbers 0 1 Encapsulated: res-hdr=0, res-body=105 HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 341 Cache-Control: no-cache 155 **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** fubar 0

EFT Log has the following information for this example:

02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Processing 
 Content Integrity Control request for profile [2576e336-6a20-4d35-af8d-81094e4fa91c], 
 file [C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\*], scan metadata: 1
        02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 file: C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt
        02-05-21 13:18:23,271 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction 
 found during CIC action, file[C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt], profile[Clearswift] action failed.
        02-05-21 13:18:23,271 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Content 
 of file: 'C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt' was redacted.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;] 
 in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Infection-Found%: " Type=1; Resolution=1; 
 Threat=Credit Card Numbers;"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Violations-Found: 1] in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Violations-Found%: " 1"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Virus-ID: Credit Card Numbers] in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Virus-ID%: " Credit Card Numbers"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing 
 these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit 
 Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning 
 workspace subject
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 metadata: Workspace subject
        02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning 
 workspace message
        02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 metadata: Workspace message
        02-05-21 13:18:23,302 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction 
 found during CIC action, metadata[Workspace message], profile[Clearswift] 
 action failed.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Overriding 
 existing event context property %WORKSPACE.MESSAGE%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Define 
 event context variable %WORKSPACE.MESSAGE%: "**** **** **** ****
        Now is the time ..."
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;] 
 in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Infection-Found%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Infection-Found%: " Type=1; Resolution=1; 
 Threat=Credit Card Numbers;"
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Violations-Found: 1] in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Violations-Found%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Violations-Found%: " 1"
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Virus-ID: Credit Card Numbers] in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Virus-ID%
        02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Virus-ID%: " Credit Card Numbers"
        02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing 
 these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit 
 Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
        02-05-21 13:18:23,318 [4124] INFO SMTP <> - The 
 number of messages are pending for send: 1

The ARM Report:

The report displays the failure of the message, and that the file was redacted.

Example of Scanning Metadata

To test the metadata feature

Create an Event Rule using the Workspace Created event.
Add the If Workspace Subject Condition with the subject does equal to TEST.
Add the Scan file using Content Integrity Control Action.
Specify your ICAP server to scan the files.
In the File Path box, select the variable %WORKSPACE.PATH%, then add a backslash and an asterisk: \*. This will ensure the attached file is scanned.
Select the Also scan any available metadata, if present check box. This will ensure the metadata are scanned.
Save and run the Event Rule. The subject, message, and attached file will be scanned when using the Web Transfer Client to send a file. The message will be scanned and flagged if there are any violations in the message due to ICAP policy.

Since you cannot predict what information will be in the Subject or Message, you can add an "if action FAILED" action, such as an email notification or Write to Windows Event Log, instead of a Condition.

ICAP Options

EFT v8.0.5 and later support the use of ICAP Options method. The ICAP "OPTIONS" method is used by the ICAP client to retrieve configuration information from the ICAP server. In this method, the ICAP client sends a request addressed to a specific ICAP resource and receives back a response with options that are specific to the service named by the URI. All OPTIONS requests MAY also return options that apply to all services.

Wireshark capture of OPTIONS RESPMOD from Clearswift:

OPTIONS icap://192.168.100.79:1344/policy_service_resp ICAP/1.0

Host: 192.168.100.79

ICAP/1.0 200 OK

Server: Traffic Spicer 2.4.0

ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"

Methods: RESPMOD

Preview: 0

Allow: 204

Max-Connections: 980

Transfer-Preview: *

Encapsulated: null-body=0

X-Include: X-Client-IP, X-Server-IP, X-Authenticated-User, X-Authenticated-Groups

Wireshark capture of OPTIONS REQMOD from Kaspersky:

OPTIONS icap://192.168.100.81:1344/av/reqmod ICAP/1.0

Host: 192.168.100.81

ICAP/1.0 200 OK

ISTag: "KAVPROXY"

Date: Fri, 05 Feb 2021 20:53:22 GMT

Methods: REQMOD

Allow: 204

Service: KAV-ICAP-Sever/5.5

Preview: 0

Max-Connections: 5000

Service-ID: KAVIcap

X-Include: X-Client-IP

Transfer-Preview: *

Transfer-Ignore:

Options-TTL: 300

Encapsulated: null-body=0

Wireshark capture of OPTIONS RESPMOD from Symantec:

OPTIONS icap://192.168.100.82:1344/RESPMOD ICAP/1.0

Host: 192.168.100.82

ICAP/1.0 200 OK

ISTag: "Vontu14.5"

Methods: RESPMOD

Options-TTL: 3600

Preview: 0

Transfer-Preview: *

Allow: 204

X-Include: X-Client-IP, X-Authenticated-User

Encapsulated: null-body=0

Max-Connections: 16