ICAP Header Responses | Trend Micro Service Central

Views:

For each sample submitted by ICAP clients, Deep Discovery Analyzer returns ICAP headers.

The following shows an example.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 7.2 Build 1165
ISTag: "12.300.1011"
X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20 
X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103
DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: No risk rating from WRS; FILE: Detected b
y ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

The following table describes the ICAP headers.

ICAP Headers	Values	Examples
ICAP/1.0	ICAP status code. For example: 204: If an ICAP client accepts the 204 status code with cached content 200: If an ICAP client does not accept the 204 status code Content is too big for an ICAP client to store in the cache. Deep Discovery Analyzer will return `200 OK` with the HTTP content. A threat is detected. Deep Discovery Analyzer will return `200 OK` with the ICAP header and HTTP 403 Forbidden For more information on the status codes, see the RFC 3507 documentation.	ICAP 1.0 200 OK ICAP 1.0 204 No Content
Server	Deep Discovery Analyzer version and build number	Server: Deep Discovery Analyzer 7.2 Build 1165
ISTag	Version of the Advanced Threat Scan Engine for Deep Discovery (Linux, 64-bit) component This is used to validate that previous Deep Discovery Analyzer responses can still be considered fresh by an ICAP client that may still be caching them.	ISTag: "12.300.1011"
Encapsulated	The offset of each encapsulated section's start relative to the start of the encapsulating message's body	Encapsulated: req-hdr=0, req-body=86
Date	The date time value provided by the Deep Discovery Analyzer clock, specified as an RFC 1123 compliant date/time string	Date: Thu, 16 Apr 2020 07:38:01 GMT

For more details about ICAP headers, refer to the following site:

http://www.icap-forum.org/

The following table describes the additional headers that Deep Discovery Analyzer returns.

Note:

If enabled, Deep Discovery Analyzer always returns the X-Response-Desc header, and only returns the X-Virus-ID and X-Infection-Found headers when a known threat is detected during the pre-scanning of samples received from ICAP clients.

ICAP Headers	Values	Examples
X-Virus-ID	One line of US-ASCII text with the name of the virus or risk encountered	X-Virus-ID: TSPY_ONLINEG.MCS
X-Infection-Found	Numeric code for the type of infection, the resolution, and the risk description	X-Infection-Found: Type=0; Resolution=2; Threat=TSPY_ONLINEG.MCS;
X-Response-Desc	Reason Deep Discovery Analyzer considers a URL or file sample as malicious or safe	X-Response-Desc: URL: No risk rating from WRS; FILE: Detected by ATSE

Note:

To enable these headers and configure other ICAP settings, go to Administration > Integrated Products/Services > ICAP.

For details, see Configuring ICAP Settings.

The X-Response-Desc header varies based on the pre-scan result. The following tables describes the X-Response-Desc headers.

Table 1. X-Response-Desc headers: URL
X-Response-Desc Header	Description
No risk rating from WRS	The URL is detected by Web Reputation Services (WRS) and is considered as safe.
Match found in URL exception list	The URL matches an entry in the exception list and is displayed on the Exceptions screen.
No risk rating from VA	The URL is detected by Virtual Analyzer is considered as safe.
Bypass URL scanning in RESPMOD mode	If you select Bypass URL scanning in RESPMOD mode on the ICAP screen, Deep Discovery Analyzer does not scan URLs in RESPMOD mode.
Invalid URL	The URL is detected with an invalid format.
Unable to analyze URL in VA	The URL is not supported in Virtual Analyzer.
Detected by WRS	The URL is detected by WRS and is considered as malicious.
Detected by suspicious objects list	The URL matches an entry in the suspicious objects list.
Detected by user-defined suspicious objects list	The URL matches an entry in the user-defined suspicious objects list.
Detected by VA cache	The URL is already analyzed by Virtual Analyzer and is considered as malicious.
URL submitted to VA	No pre-scan result is available for the URL. Submit the URL sample to Virtual Analyzer for analysis.

Table 2. X-Response-Desc headers: File
X-Response-Desc Header	Description
Match found in file exception list	The file matches an entry in the exception list and is displayed on the Exceptions screen.
No risk rating from VA	The file is detected by Virtual Analyzer is considered as safe.
Unsupported file type in VA	The file is not analyzed by Virtual Analyzer due to one of the following: The file type is not supported in Virtual Analyzer For more information on supported file types, see Supported File Types in Virtual Analyzer. The file is password protected and cannot be extracted by Virtual Analyzer for analysis Other reasons that Virtual Analyzer is unable to perform the file analysis
Bypass MIME content-type scanning	If you select Enable MIME content-type exclusion and the content-type is in the exclusion list, Deep Discovery Analyzer does not scan the file.
Maximum file size exceeded	The file size has exceeded the maximum (60MB).
Bypass true file type scanning	If you select Enable MIME content-type validation and the file type is in the exclusion list, Deep Discovery Analyzer does not scan the file.
Detected by ATSE	The file is detected by Advanced Threat Scan Engine (ATSE) for Deep Discovery.
Detected by YARA rule	The file matches a YARA rule.
Detected by suspicious objects list	The file matches an entry in the suspicious objects list.
Detected by user-defined suspicious objects list	The file matches an entry in the user-defined suspicious objects list.
Detected by Predictive Machine Learning engine	The file is detected by the Predictive Machine Learning engine.
Detected by VA cache	The file is already analyzed by Virtual Analyzer and is considered as malicious.
File submitted to VA	No pre-scan result is available for the file. Submit the file sample to Virtual Analyzer for analysis.
Detected as password-protected file. Block sample without scanning	If you select Classify samples as password-protected files without scanning on the ICAP screen and the file is password protected, Deep Discovery Analyzer blocks the file without scanning.
Detected as password-protected file. Block non-malicious sample that cannot be extracted	If you select Classify samples with no known risks as password-protected files only if the files cannot be extracted on the ICAP screen, Deep Discovery Analyzer returns this result in the header when a password-protected file cannot be extracted but is scanned by all ICAP pre-scan modules with no risk.

The following header example indicates that the file and URL are considered safe.

ICAP/1.0 204 No Content
Server: Deep Discovery Analyzer 7.2 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: No risk ra
ting from VA
Date: Thu, 16 Apr 2020 07:32:30 GMT

The following header example indicates that Deep Discovery Analyzer returns the HTTP/1.1 403 Forbidden status code because the file is detected by ATSE. The URL is not scanned.

Note:

If you configure the redirect page in the management console, Deep Discovery Analyzer sends the redirect page content after the HTTP 403 Forbidden header.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 7.2 Build 1165
ISTag: "12.300.1011"
X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20 
X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103
DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: Bypass URL scanning in RESPMOD mode; FILE
: Detected by ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

HTTP/1.1 403 Forbidden

The following header example indicates that the URL is considered as safe and there is no detection information for the file. The file sample is automatically submitted to Deep Discovery Analyzer for analysis.

ICAP/1.0 204 No Content
Server: Deep Discovery Analyzer 7.2 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: File submi
tted to VA
Date: Thu, 16 Apr 2020 07:22:41 GMT