ProxySG & Advanced Secure Gateway

Hi,

While running an ASG S400 30 (version ASG 6.7.5.3) forward proxy in explicit mode, I get the following error message when trying to download a file even though the domain has been listed in a rule in the Web Content Layer exempting content from "Response Analysis". 

"Your access to the site http://obfuscateddomain.com/file_name_here has been denied for the following reason:

An error occurred while performing an ICAP operation: File decompression/decode error; File: f0aa785e-767f-471f-adae-59b43414549a;"

Is there any other way of exempting this content from ICAP/AnitiVirus scanning?

Hello Daryll,

On the CAS configuration, you cannot create the policy to except some domain with option if AV engine cannot decompress file will drop or not.
You can set the global only for bypass or drop the compress file(with password or other error).

But, you can bypass the CAS with policy in the ProxySG policy about DST URL http://obfuscateddomain.com/file_name_here (if HTTPS you should decrypt SSL or create object with URL domain obfuscateddomain.com) in the content layer.

Thank you and BR
Sakkarin Pichetskul

------------------------------
System Engineer
nForce Secure Co.,Ltd. [Thailand]
------------------------------

Original Message:
Sent: 07-21-2020 09:21 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi,

While running an ASG S400 30 (version ASG 6.7.5.3) forward proxy in explicit mode, I get the following error message when trying to download a file even though the domain has been listed in a rule in the Web Content Layer exempting content from "Response Analysis". 

"Your access to the site http://obfuscateddomain.com/file_name_here has been denied for the following reason:

An error occurred while performing an ICAP operation: File decompression/decode error; File: f0aa785e-767f-471f-adae-59b43414549a;"

Is there any other way of exempting this content from ICAP/AnitiVirus scanning?

Hi Sakkarin,

Do you have an example of what you are suggesting?

I have already listed the domain in a:
SSL exemption rule in the SSL Intercept Layer, 
a direct access exemption rule in the Web Access Layer
and, an AV scan exemption rule in the Web Content Layer.

Is there a way to do it in CPL?

Cheers
Daryll
Original Message:
Sent: 07-22-2020 02:23 AM
From: sakkarin pichetskul
Subject: File decompression error in ICAP operation

Hello Daryll,

On the CAS configuration, you cannot create the policy to except some domain with option if AV engine cannot decompress file will drop or not.
You can set the global only for bypass or drop the compress file(with password or other error).

But, you can bypass the CAS with policy in the ProxySG policy about DST URL http://obfuscateddomain.com/file_name_here (if HTTPS you should decrypt SSL or create object with URL domain obfuscateddomain.com) in the content layer.

Thank you and BR
Sakkarin Pichetskul

------------------------------
System Engineer
nForce Secure Co.,Ltd. [Thailand]

Original Message:
Sent: 07-21-2020 09:21 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi,

While running an ASG S400 30 (version ASG 6.7.5.3) forward proxy in explicit mode, I get the following error message when trying to download a file even though the domain has been listed in a rule in the Web Content Layer exempting content from "Response Analysis". 

"Your access to the site http://obfuscateddomain.com/file_name_here has been denied for the following reason:

An error occurred while performing an ICAP operation: File decompression/decode error; File: f0aa785e-767f-471f-adae-59b43414549a;"

Is there any other way of exempting this content from ICAP/AnitiVirus scanning?

Hi Daryll,

If you already have the domain listed in a rule to not go to the CAS, and it is, then I would suggest the next step would be to take a policy trace to see what is happening. More on how to set up a policy trace can be found here.

Sometimes another rule in another layer matches and overrides your rule to not scan, and so that is something to check for in the policy trace. If you have Malware Scanning enabled (Configuration > Threat Protection > Malware Scanning), it adds scanning policy at the end, and can conflict and override your rules. If this is the case, disabling Malware Scanning and switching to the ICAP Best Practices CPL is recommended. 

Also, it could be that there are multiple things in your rule that need to trigger, and not all of them are being met. If you see a "miss" in the policy trace where your rule is, this is the reason, and you'll need to inspect the rule more closely to understand why it isn't matching.

Thanks!
Original Message:
Sent: 07-22-2020 05:51 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi Sakkarin,

Do you have an example of what you are suggesting?

I have already listed the domain in a:
SSL exemption rule in the SSL Intercept Layer,
a direct access exemption rule in the Web Access Layer
and, an AV scan exemption rule in the Web Content Layer.

Is there a way to do it in CPL?

Cheers
Daryll
Original Message:
Sent: 07-22-2020 02:23 AM
From: sakkarin pichetskul
Subject: File decompression error in ICAP operation

Hello Daryll,

On the CAS configuration, you cannot create the policy to except some domain with option if AV engine cannot decompress file will drop or not.
You can set the global only for bypass or drop the compress file(with password or other error).

But, you can bypass the CAS with policy in the ProxySG policy about DST URL http://obfuscateddomain.com/file_name_here (if HTTPS you should decrypt SSL or create object with URL domain obfuscateddomain.com) in the content layer.

Thank you and BR
Sakkarin Pichetskul

------------------------------
System Engineer
nForce Secure Co.,Ltd. [Thailand]

Original Message:
Sent: 07-21-2020 09:21 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi,

While running an ASG S400 30 (version ASG 6.7.5.3) forward proxy in explicit mode, I get the following error message when trying to download a file even though the domain has been listed in a rule in the Web Content Layer exempting content from "Response Analysis". 

"Your access to the site http://obfuscateddomain.com/file_name_here has been denied for the following reason:

An error occurred while performing an ICAP operation: File decompression/decode error; File: f0aa785e-767f-471f-adae-59b43414549a;"

Is there any other way of exempting this content from ICAP/AnitiVirus scanning?

Hi Jacob,

I'm already using the Best Practices CPL recommendation according to the level of security appropriate for our organisation.
As recommended, the CPL is installed via the Local File editor and have now also included above the Best Practices CPL, the following lines as recommended in https://knowledge.broadcom.com/external/article/166557/icap-best-practices-are-ignored-if-malwa.html
;================================= Bypass Malware Scanning for specific sites ============================================
<Cache Bypass_BC_malware_scanning_solution>
policy.Bypass_BC_malware_scanning_solution ; Creates a new layer after the Malware Scanning layers.
define cache policy Bypass_BC_malware_scanning_solution

<Cache Bypass_BC_malware_scanning_solution >
url.host.is_private=yes response.icap_service(no) ; Bypasses Icap scanning for private or internal networks defined on the ProxySG
condition=Bypass_malware_sites response.icap_service(no) ; Bypasses Icap for the sites defined in the Bypass_malware_sites condition
end

define condition Bypass_malware_sites
url.domain=obfuscated_domain.com
end
;=============================================================================================================

This doesn't seem to have made any difference and I'm still getting the error message. The trace also shows a "miss" on the newly inserted CPL for obfuscated_domain.com.
Original Message:
Sent: 07-22-2020 06:34 PM
From: Jacob M
Subject: File decompression error in ICAP operation

Hi Daryll,

If you already have the domain listed in a rule to not go to the CAS, and it is, then I would suggest the next step would be to take a policy trace to see what is happening. More on how to set up a policy trace can be found here.

Sometimes another rule in another layer matches and overrides your rule to not scan, and so that is something to check for in the policy trace. If you have Malware Scanning enabled (Configuration > Threat Protection > Malware Scanning), it adds scanning policy at the end, and can conflict and override your rules. If this is the case, disabling Malware Scanning and switching to the ICAP Best Practices CPL is recommended.

Also, it could be that there are multiple things in your rule that need to trigger, and not all of them are being met. If you see a "miss" in the policy trace where your rule is, this is the reason, and you'll need to inspect the rule more closely to understand why it isn't matching.

Thanks!
Original Message:
Sent: 07-22-2020 05:51 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi Sakkarin,

Do you have an example of what you are suggesting?

I have already listed the domain in a:
SSL exemption rule in the SSL Intercept Layer,
a direct access exemption rule in the Web Access Layer
and, an AV scan exemption rule in the Web Content Layer.

Is there a way to do it in CPL?

Cheers
Daryll
Original Message:
Sent: 07-22-2020 02:23 AM
From: sakkarin pichetskul
Subject: File decompression error in ICAP operation

Hello Daryll,

On the CAS configuration, you cannot create the policy to except some domain with option if AV engine cannot decompress file will drop or not.
You can set the global only for bypass or drop the compress file(with password or other error).

But, you can bypass the CAS with policy in the ProxySG policy about DST URL http://obfuscateddomain.com/file_name_here (if HTTPS you should decrypt SSL or create object with URL domain obfuscateddomain.com) in the content layer.

Thank you and BR
Sakkarin Pichetskul

------------------------------
System Engineer
nForce Secure Co.,Ltd. [Thailand]

Original Message:
Sent: 07-21-2020 09:21 PM
From: daryll richards
Subject: File decompression error in ICAP operation

Hi,

While running an ASG S400 30 (version ASG 6.7.5.3) forward proxy in explicit mode, I get the following error message when trying to download a file even though the domain has been listed in a rule in the Web Content Layer exempting content from "Response Analysis". 

"Your access to the site http://obfuscateddomain.com/file_name_here has been denied for the following reason:

An error occurred while performing an ICAP operation: File decompression/decode error; File: f0aa785e-767f-471f-adae-59b43414549a;"

Is there any other way of exempting this content from ICAP/AnitiVirus scanning?