Procedure

1. Go to Administration → Integrated Products/Services → ICAP.
2. Select Enable ICAP.
3. Type the ICAP port number.
   The default value is 1344.
4. To connect the ICAP client over a secure connection, select Enable ICAP over SSL and specify the following details:
   • ICAPS port number: Default value is 11344
   • Certificate: Certificates must use base64-encoding
   • Private key: Private keys must use base64-encoding

     Important Only encrypted private keys are supported.

   • Passphrase
   • Confirm Passphrase
5. (Optional) In the Header Settings section, specify how Deep Discovery Analyzer handles ICAP headers.
   1. Under ICAP headers from Deep Discovery Analyzer, select the ICAP headers Deep Discovery Analyzer sends to ICAP clients.
      For details, see ICAP Header Responses.
   2. Under ICAP headers from ICAP clients, select the ICAP headers to save when Deep Discovery Analyzer receives the headers from ICAP clients.
6. (Optional) Under Scanning Settings, select the options for URL scanning in RESPMOD mode and set how Deep Discovery Analyzer scans samples from ICAP clients:
   • Bypass URL scanning in RESPMOD mode
   • Scan samples using YARA rules
   • Scan samples using the suspicious objects list
   • Scan samples using the user-defined suspicious objects list
   • Scan samples using the Predictive Machine Learning engine
7. (Optional) Under Content Settings, do the following:
   1. Select Enable MIME content-type exclusion to exlude files from scanning based on the MIME content-types that you selected or specified.
   2. To have Deep Discovery Analyzer check the true file type of submitted samples, select Enable MIME content-type validation.

      Note The Enable MIME content-type validation setting only applies when you select Enable MIME content-type exclusion. When you select this option, Deep Discovery Analyzer will still perform an ICAP pre-scan on samples with one of the following: HTTP compression Some MIME content-types in ICAP Preview mode Custom MIME content-types Some pre-defined MIME content-types Samples with unsupported file types are not submitted to Virtual Analyzer for scanning after ICAP pre-scan.

8. (Optional) Under User Notification Pages, select Use a user notification page whenever the ICAP client blocks network traffic for the following events and specify a file that contains the page contents.

   Note This setting allows Deep Discovery Analyzer to display a custom page whenever an ICAP client blocks network traffic for specific events. The ICAP client may override this setting. If the setting is enabled and the custom page are not displayed, verify that there are no conflicts with the ICAP client configuration.

   Deep Discovery Analyzer supports custom pages for the following events:

   • URL access
   • File upload
   • File download

   Note Use any text editor to create the pages, and save as plain text. HTML tags may be used to apply formatting. Ensure that files are smaller than 5 MB.

9. (Optional) Under ICAP Client List, do the following:
   1. Specify the number of Max connections allowed.
      The default value is 1000.
   2. Select Accept scan request from the following ICAP clients only to limit submissions to specific clients only.
      • To add a new IP address or IP address range, click Add.
      • To remove an existing entry, select an entry and click Delete.

      Note By default, all ICAP clients can submit samples to Deep Discovery Analyzer.

10. Click Save.
11. Verify that ICAP integration is working correctly in Deep Discovery Analyzer.
    For high-risk samples:

    • Deep Discovery Analyzer returns an HTTP 403 Forbidden message to the ICAP client.
    • If the User Notification Page setting is enabled, Deep Discovery Analyzer includes the uploaded page as part of the message.
    • If X-Virus-ID and X-Infection-Found ICAP headers are enabled, Deep Discovery Analyzer includes these headers within the message.

    For no-risk samples:

    • Deep Discovery Analyzer returns the original message it receives from the ICAP client.
    • If the ICAP client supports ICAP 204 No Content, it returns an ICAP 204 No Content response without the original message.