File Scan Action Example

Below is an example of a Workspace Created Event Rule with a File Scan Action and an if action failed action to Write to Event Log.

In this example, when a Workspace is created, the File Scan action uses the Clearswift profile to scan any files in that Workspace when it was created. If the scan finds any ICAP violation or redactions, it writes the information to the Windows Event Log. A file in the Workspace named BadCreditCard.txt contains a credit card number, which will fail the File Scan.

The profile was configured to work with a Clearswift ICAP server.

Details of the RESPMOD messages using Wireshark:

An example of EFT sending the Option method to a Clearswift ICAP server and the ICAP response:

Subject of a message sent with a file:

RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
Host: 192.168.100.79
Allow: 204
X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
Encapsulated: req-hdr=0, res-hdr=58, res-body=162
         
GET /BadCreditCard.txt HTTP/1.1
Host: 192.168.100.151
         
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 14
Cache-Control: no-cache
         
e
Subject Matter
0
         
ICAP/1.0 204 No Content
Server: Traffic Spicer 2.4.0
ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"

Message sent with the file:

In the Wireshark readout, you can see the contents of the message:

411 1111 1111 1111
  Now is the time...

and then at the bottom of the file, you can see the credit card number was redacted:

**** **** **** ****
Now is the time 
...
RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
        Host: 192.168.100.79
        Allow: 204
        X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
        Encapsulated: req-hdr=0, res-hdr=58, res-body=162
         
        GET /BadCreditCard.txt HTTP/1.1
        Host: 192.168.100.151
         
        HTTP/1.1 200 OK
        Content-Type: application/octet-stream
        Content-Length: 39
        Cache-Control: no-cache
         
        27
        4111 1111 1111 1111
        Now is the time ...
        0
        
        ICAP/1.0 200 OK
        Server: Traffic Spicer 2.4.0
        ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"
        X-Virus-ID: Credit Card Numbers
        X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;
        X-Violations-Found: 1
        BadCreditCard.txt
        Credit Card Numbers
        0
        1
        Encapsulated: res-hdr=0, res-body=104
         
        HTTP/1.1 200 OK
        Content-Type: application/octet-stream
        Content-Length: 39
        Cache-Control: no-cache
         
        27
        **** **** **** ****
        Now is the time ...
        0
  File contents scanned and redacted:
        RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
        Host: 192.168.100.79
        Allow: 204
        X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
        Encapsulated: req-hdr=0, res-hdr=58, res-body=163
         
        GET /BadCreditCard.txt HTTP/1.1
        Host: 192.168.100.151
         
        HTTP/1.1 200 OK
        Content-Type: application/octet-stream
        Content-Length: 341
        Cache-Control: no-cache
         
        155
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        4111 1111 1111 1111
        fubar
        0
         
        ICAP/1.0 200 OK
        Server: Traffic Spicer 2.4.0
        ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"
        X-Virus-ID: Credit Card Numbers
        X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;
        X-Violations-Found: 1
        BadCreditCard.txt
        Credit Card Numbers
        0
        1
        Encapsulated: res-hdr=0, res-body=105
         
        HTTP/1.1 200 OK
        Content-Type: application/octet-stream
        Content-Length: 341
        Cache-Control: no-cache
         
        155
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        **** **** **** ****
        fubar
        0

EFT Log has the following information for this example:

02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Processing 
 Content Integrity Control request for profile [2576e336-6a20-4d35-af8d-81094e4fa91c], 
 file [C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\*], scan metadata: 1
        02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 file: C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt
        02-05-21 13:18:23,271 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction 
 found during CIC action, file[C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt], profile[Clearswift] action failed.
        02-05-21 13:18:23,271 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Content 
 of file: 'C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject 
 Matter\\BadCreditCard.txt' was redacted.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;] 
 in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Infection-Found%: " Type=1; Resolution=1; 
 Threat=Credit Card Numbers;"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Violations-Found: 1] in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Violations-Found%: " 1"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Virus-ID: Credit Card Numbers] in response.
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Virus-ID%: " Credit Card Numbers"
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing 
 these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit 
 Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning 
 workspace subject
        02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 metadata: Workspace subject
        02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning 
 workspace message
        02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking 
 metadata: Workspace message
        02-05-21 13:18:23,302 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction 
 found during CIC action, metadata[Workspace message], profile[Clearswift] 
 action failed.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Overriding 
 existing event context property %WORKSPACE.MESSAGE%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Define 
 event context variable %WORKSPACE.MESSAGE%: "**** **** **** ****
        Now is the time ..."
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;] 
 in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Infection-Found%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Infection-Found%: " Type=1; Resolution=1; 
 Threat=Credit Card Numbers;"
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Violations-Found: 1] in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Violations-Found%
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Violations-Found%: " 1"
        02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header 
 [X-Virus-ID: Credit Card Numbers] in response.
        02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Overriding existing event context property %X-Virus-ID%
        02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL: 
 Define event context variable %X-Virus-ID%: " Credit Card Numbers"
        02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule 
 <HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing 
 these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit 
 Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
        02-05-21 13:18:23,318 [4124] INFO SMTP <> - The 
 number of messages are pending for send: 1

The ARM Report:

The report displays the failure of the message, and that the file was redacted.