How does File: Scan Work in Event Rules?

The File: Scan Action is used to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification. EFT fully supports RFC3507 section-3.1 and section-4.8. EFT can adapt the outgoing response if the ICAP server indicates that adaptation is necessary.

How does File: Scan work in Event Rules?

The File: Scan Action allows ICAP clients to pass HTTP messages to ICAP servers to scan the file(s) in the Event Rule that is passing through EFT.

You can create reusable profiles on the Content Integrity Control Tab and you can create a custom Content Integrity Control (CIC) profile as you need it, as described below.

Important info about how EFT uses the File Scan Action

IMPORTANT:
  • Using the File Scan Action with encrypted files will not return an accurate result. Copy/move the files to a folder that is not encrypted to process with the ICAP server.

  • ICAP servers don't all offer the same features. The action was tested with:

    • Clearswift version 5

    • Symantec DLP version 14.5.0.24028

    • Kaspersky version 5.5

  • When using the action, EFT needs to use POST in HTTP requests. Refer to knowledgebase article https://kb.globalscape.com/KnowledgebaseArticle11375.aspx for information about enabling an advanced property.

  • File Uploaded and Workspace Created events are triggered after a file is uploaded and after a Workspace is created. Only after the event triggers will the action begin communication with the ICAP server, and then redacts the file, if needed. Therefore, there may be delays between when a Workspace is created and a file is redacted. Use the File Uploaded event to trigger the action, then use the File: Scan action and "Fail" to prevent the message from being sent. Use the Before Download event trigger to scan the file before it's downloaded.

.