4. Using ICAP server for Metadefender Core v4.x (BETA)

For Windows

Prerequisites

How To Install

  1. Unpack the zip package into a directory

  2. Open icap_config.ini and set rest_port to the port used by Metadefender Core REST (default is 8048)

  3. Start omsICAPServer.exe

    1. For a better performance install omsICAPServer.exe as a Windows service

      sc.exe create <new_service_name> binPath= "<path_to_the_service_executable>"
  4. Using Metadefender Core v4 management enable local file scan:

    1. Log in the management console using admin/admin as the account and passcode

    2. Open Policies → Security rules → File scan

    3. Check "Allow scan files on server"

    4. Add the ICAP temp directory to the list of allowed directories. This is C:\Windows\Temp\ by default on Windows but can be overwritten by temp_dir in icap_config.ini

For Linux (Ubuntu 16.04)

Prerequisites

How To Install

  1. Unpack the zip package into a directory

  2. Open icap_config.ini and set rest_port to the port used by Metadefender Core REST (default is 8048)

  3. Start md_icap

  4. Using Metadefender Core v4 management enable local file scan:

    1. Log in the management console using admin/admin as the account and passcode

    2. Open Policies → Security rules → File scan

    3. Check "Allow scan files on server"

    4. Add the ICAP temp directory to the list of allowed directories. This is /tmp/ by default on Linux but can be overwritten by temp_dir in icap_config.ini

Configuration via INI

The ICAP server configuration is done in omsConfig.ini. Applying configuration changes requires to restart the ICAP server.

Key

Description

maxnum_sockets

Range: 1~1000
Defaut: 60

Number of worker threads to handle ICAP requests. Configures the number of threads that will be used by the Metadefender Core ICAP server for handling requests. For optimal performance, this should be set to a value higher than the number of processor cores available to the Metadefender Core system

maxnum_connections

Default: 355

The maximum number of simultaneous connections that the ICAP server is able to support. Certain proxy servers will use this value to restrict the requests that are made of the Metadefender Core ICAP server and will not send more than this number of simultaneous requests to the Metadefender Core ICAP server.

  • By ICAP specs, the client (proxy) is not supposed to send more requests than what is advertised by the ICAP server.

  • If the client receives more than this number of connections, it is supposed to handle the overload itself (i.e. queuing, bypassing, rejecting...)

  • The ICAP server does not enforce that number, this means that if the client does not respect the rules and sends more than the advertised max number of connections, we will still process them.

port

Range: 1 - 65535
Default: 1344

Port the server is listening to. If you are installing with other product which have ICAP interface, you must change to different port.

block_on_max_capacity

Range: 0 - 1
Default: 0

Blocking (i.e. return 403 forbidden to HTTP clients) every request coming in when Metadefender Core is overloaded (i.e. "Metascan server too busy"). A "Metascan server is too busy. Please try again later." message will be displayed in clients browsers.

  • 0: Allow files when overloaded

  • 1: Block files when overloaded

path_to_custom_html

Value: Absolute file path or file path relative to omsICAPServer.exe directory
Default: omsICAPdefault.htm

Path to custom HTML page to be displayed to the user when content is blocked, request rejected due to license, server too busy, etc.

  • Content is parsed by ICAP server.

  • Use the "%%%icap_block_message%%%" macro in the web page as a place holder for the ICAP message. ICAP server will replace that message by whatever message it has to say.

scan_health_checks

Range: 0 - 1
Default: 0

Scan client specific health checks.
Disabling scanning health checks improves performance as it reduces the load on Metascan.

  • Only implemented for BlueCoat for now.

  • Easy to add support for different health checks

  • BlueCoat periodically sends requests to the ICAP server to make sure it's working fine.

    • Disabling scanning health checks improves performance.

dump_invalid_requests

Range: 0 - 1
Default: 0

Outputs the invalid buffer to a file ending in "_400_Bad_Request.txt" Slight performance impact when invalid requests are processed. Should only be enabled for investigation purpose.

  • 0: Disables dumping invalid (ICAP 400 response) raw requests to a file.

  • 1: Dumps invalid (ICAP 400 response) raw requests to a file.

log_dir

Value: Absolute or relative path for the logging directory. All the generated log files are placed here.
Default: Empty (Log folder under install directory)

The path to the logging directory.

temp_dir

Value: Absolute or relative path for a directory that can be used by ICAP server for saving temporary files.
Default: Empty (C:\Windows\Temp\ on Windows and /tmp/ on Linux)

The path to the directory that can be used by the ICAP server to save temporary files.

skip_too_big_file

Range: 0 - Max Unsigned Long
Default : 0

Allows the ICAP server to skip scanning a file if the file is too large. The value specifies in bytes the threshold for skipping files. A value of 0 means this feature is off, anything greater than 0 indicates this feature is on

use_persistent_connections

Range: 0 - 1
Default: 0

This should be used for improved performance. The ICAP server keeps the connections open, so they can be reused for several requests.

  • 0 : ICAP server is not using persistent connections. Connections are closed after serving a request.

  • 1 : ICAP server is using persistent connections. Connections are kept open after serving a request.

rest_port

Range: 1 - 65535
Default: 8048

Port of the Metadefender V4 REST which can be used by the ICAP to initiate scanning.

sanitization_postfix

Value: Custom text postfix, that will be appended to Content-Disposition header's filename if the file is sanitized.
Default: No postfix will be appended.

This postfix can be used to indicate if a file is sanitized. If the key is not set or set to empty string, no postfix will be appended.

For example (PDF to PDF sanitization is enabled in Core workflow) and this configuration is done as follows. For the following HTTP header,

sanitization_postfix=[sanitized]
Content-Disposition: attachment; filename="report.pdf";

will be modified to

Content-Disposition: attachment; filename="report[sanitized].pdf";