File Scan Action Example
Below is an example of a Workspace Created Event Rule with a File Scan Action and an if action failed action to Write to Event Log.
In this example, when a Workspace is created, the File Scan action uses the Clearswift profile to scan any files in that Workspace when it was created. If the scan finds any ICAP violation or redactions, it writes the information to the Windows Event Log. A file in the Workspace named BadCreditCard.txt contains a credit card number, which will fail the File Scan.
The profile was configured to work with a Clearswift ICAP server.
Details of the RESPMOD messages using Wireshark:
An example of EFT sending the Option method to a Clearswift ICAP server and the ICAP response:
Subject of a message sent with a file:
RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
Host: 192.168.100.79
Allow: 204
X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
Encapsulated: req-hdr=0, res-hdr=58, res-body=162
GET /BadCreditCard.txt HTTP/1.1
Host: 192.168.100.151
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 14
Cache-Control: no-cache
e
Subject Matter
0
ICAP/1.0 204 No Content
Server: Traffic Spicer 2.4.0
ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"
Message sent with the file:
In the Wireshark readout, you can see the contents of the message:
411 1111 1111 1111 Now is the time...
and then at the bottom of the file, you can see the credit card number was redacted:
**** **** **** **** Now is the time ...
RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
Host: 192.168.100.79
Allow: 204
X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
Encapsulated: req-hdr=0, res-hdr=58, res-body=162
GET /BadCreditCard.txt HTTP/1.1
Host: 192.168.100.151
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 39
Cache-Control: no-cache
27
4111 1111 1111 1111
Now is the time ...
0
ICAP/1.0 200 OK
Server: Traffic Spicer 2.4.0
ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"
X-Virus-ID: Credit Card Numbers
X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;
X-Violations-Found: 1
BadCreditCard.txt
Credit Card Numbers
0
1
Encapsulated: res-hdr=0, res-body=104
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 39
Cache-Control: no-cache
27
**** **** **** ****
Now is the time ...
0
File contents scanned and redacted:
RESPMOD icap://192.168.100.79:1344/policy_service_resp ICAP/1.0
Host: 192.168.100.79
Allow: 204
X-Authenticated-User: TG9jYWw6Ly9keWVsYWNpYw==
Encapsulated: req-hdr=0, res-hdr=58, res-body=163
GET /BadCreditCard.txt HTTP/1.1
Host: 192.168.100.151
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 341
Cache-Control: no-cache
155
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
4111 1111 1111 1111
fubar
0
ICAP/1.0 200 OK
Server: Traffic Spicer 2.4.0
ISTag: "CSICAP/v2.4.0/cd7ac05/CSAdapter"
X-Virus-ID: Credit Card Numbers
X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;
X-Violations-Found: 1
BadCreditCard.txt
Credit Card Numbers
0
1
Encapsulated: res-hdr=0, res-body=105
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 341
Cache-Control: no-cache
155
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
**** **** **** ****
fubar
0
EFT Log has the following information for this example:
02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Processing
Content Integrity Control request for profile [2576e336-6a20-4d35-af8d-81094e4fa91c],
file [C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject
Matter\\*], scan metadata: 1
02-05-21 13:18:23,255 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking
file: C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject
Matter\\BadCreditCard.txt
02-05-21 13:18:23,271 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction
found during CIC action, file[C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject
Matter\\BadCreditCard.txt], profile[Clearswift] action failed.
02-05-21 13:18:23,271 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Content
of file: 'C:\InetPub\EFTRoot\MySite\Usr\<username>\WorkspacesSendMessage\Subject
Matter\\BadCreditCard.txt' was redacted.
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;]
in response.
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Infection-Found%: " Type=1; Resolution=1;
Threat=Credit Card Numbers;"
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Violations-Found: 1] in response.
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Violations-Found%: " 1"
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Virus-ID: Credit Card Numbers] in response.
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Virus-ID%: " Credit Card Numbers"
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing
these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit
Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning
workspace subject
02-05-21 13:18:23,271 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking
metadata: Workspace subject
02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Scanning
workspace message
02-05-21 13:18:23,287 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Checking
metadata: Workspace message
02-05-21 13:18:23,302 [1216] ERROR Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - ICAP redaction
found during CIC action, metadata[Workspace message], profile[Clearswift]
action failed.
02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Overriding
existing event context property %WORKSPACE.MESSAGE%
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Define
event context variable %WORKSPACE.MESSAGE%: "**** **** **** ****
Now is the time ..."
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Infection-Found: Type=1; Resolution=1; Threat=Credit Card Numbers;]
in response.
02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Overriding existing event context property %X-Infection-Found%
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Infection-Found%: " Type=1; Resolution=1;
Threat=Credit Card Numbers;"
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Violations-Found: 1] in response.
02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Overriding existing event context property %X-Violations-Found%
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Violations-Found%: " 1"
02-05-21 13:18:23,302 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Found header
[X-Virus-ID: Credit Card Numbers] in response.
02-05-21 13:18:23,302 [1216] WARN Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Overriding existing event context property %X-Virus-ID%
02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - EVENT_ACTION_CONTENT_INTEGRITY_CONTROL:
Define event context variable %X-Virus-ID%: " Credit Card Numbers"
02-05-21 13:18:23,318 [1216] TRACE Events.ContentIntegrityControl.MySite.On_Workspace_Created_Rule
<HTTP.ProcessRequest; Rule: On Workspace Created Rule> - Auditing
these X headers [X-Infection-Found: Type=1; Resolution=1; Threat=Credit
Card Numbers;;X-Violations-Found: 1;X-Virus-ID: Credit Card Numbers]
02-05-21 13:18:23,318 [4124] INFO SMTP <> - The
number of messages are pending for send: 1
The ARM Report:
The report displays the failure of the message, and that the file was redacted.
