Content & Malware Analysis

 View Only
  • 1.  3rd party ICAP Integration with File transfer application results in unknown files and source

    Posted Aug 27, 2020 12:32 PM
    Hello,

    I'm working with our team that manages our file transfer application to integrated CAS to perform anti-malware scans on uploaded files. We are able to successfully ICAP to the CAS on TCP 1344 (client apparently doesn't support secure ICAP) from our file transfer application successfully. When we did a test with the EICAR test file (string in a text file), the file was detected by CAS as expected, however, on the CAS side, the detection is missing important details like FileName and ClientIP which have values as unknown. Is there something we need to change on the application side (ICAP Client) to get this information or is there an issue on the CAS where it's not parsing/extracting this data? Unsure as to where the problem may lie.

    Thanks,
    Kevin


  • 2.  RE: 3rd party ICAP Integration with File transfer application results in unknown files and source

    Broadcom Employee
    Posted Aug 27, 2020 02:16 PM
    Edited by Jacob Miles Aug 27, 2020 04:24 PM
    Hi Kevin,

    Where are you not seeing the fields? Is this the View Report under Statistics > Recent Threats?

    For the client IP, I would imagine this would be an issue with what was sent. Where this is not encrypted, you could take a packet capture and see what your ICAP client is sending. Below is an excerpt of a pcap where the ProxySG is sending to the CAS over ICAP. Notice how there is an X-Client-IP header. I would be curious to see if your client is sending a similar header.


    As far as the Filename, that is interesting. In the Recent Threat report, what Vendor does it say blocked the file?

    Thanks

    Jacob


  • 3.  RE: 3rd party ICAP Integration with File transfer application results in unknown files and source

    Posted Aug 28, 2020 09:34 AM
      |   view attached
    Hi Jacob,

    I looked at at our PCAP and did not see an X-Client-IP header in the ICAP packet flow. I am currently working with our application team to see if there are any configurations we can change that would provide this information.

    For the Filename, yes it is in the Recent Threats section. Symantec was the Vendor for the block. The file in question was the EICAR test string in a text file and upload through our application and then ICAP to our CAS.




  • 4.  RE: 3rd party ICAP Integration with File transfer application results in unknown files and source

    Broadcom Employee
    Posted Aug 28, 2020 01:38 PM
    Hi Kevin,

    Where it is detected by SymantecAV, I would say this is all dependent on the headers in your ICAP request. I have been able to verify that if you remove the X-Client-IP header, the client shows as unknown. Unfortunately, we don't provide support for 3rd party app development, so I don't have a lot of resources available to me to answer this question. My guess would be that the CAS is pulling the file name by parsing the URL provided in the request. ICAP wise, I think modifying your request headers in the ICAP request will be your best bet.

    Another thing to explore, if you haven't, is using the API to submit files. I am not sure if there is a way to send the client-ip using the API, but it is a lot more documented, and so that may be something to explore if you run into other hurdles besides this one The API guide is found here.

    Hope this helps!

    Jacob