ICAP Header Responses

For each sample submitted by ICAP clients, Deep Discovery Analyzer returns ICAP headers.

The following shows an example.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20 
X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103
DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: No risk rating from WRS; FILE: Detected b
y ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

The following table describes the ICAP headers.

ICAP Headers

Values

Examples

ICAP/1.0

ICAP status code.

For example:

  • 204: If an ICAP client accepts the 204 status code with cached content

  • 200:

    • If an ICAP client does not accept the 204 status code

    • Content is too big for an ICAP client to store in the cache. Deep Discovery Analyzer will return 200 OK with the HTTP content.

    • A threat is detected. Deep Discovery Analyzer will return 200 OK with the ICAP header and HTTP 403 Forbidden

For more information on the status codes, see the RFC documentation.

ICAP 1.0 200 OK

ICAP 1.0 204 No Content

Server

Deep Discovery Analyzer version and build number

Server: Deep Discovery Analyzer 6.8 Build 1165

ISTag

Version of the Advanced Threat Scan Engine for Deep Discovery (Linux, 64-bit) component

This is used to validate that previous Deep Discovery Analyzer responses can still be considered fresh by an ICAP client that may still be caching them.

ISTag: "12.300.1011"

Encapsulated

The offset of each encapsulated section's start relative to the start of the encapsulating message's body

Encapsulated: req-hdr=0, req-body=86

Date

The date time value provided by the Deep Discovery Analyzer clock, specified as an RFC 1123 compliant date/time string

Date: Thu, 16 Apr 2020 07:38:01 GMT

For more details about ICAP headers, refer to the following site:

http://www.icap-forum.org/

The following table describes the additional headers that Deep Discovery Analyzer returns.

Note:

If enabled, Deep Discovery Analyzer always returns the X-Response-Desc header, and only returns the X-Virus-ID and X-Infection-Found headers when a known threat is detected during the pre-scanning of samples received from ICAP clients.

ICAP Headers

Values

Examples

X-Virus-ID

One line of US-ASCII text with the name of the virus or risk encountered

X-Virus-ID: TSPY_ONLINEG.MCS

X-Infection-Found

Numeric code for the type of infection, the resolution, and the risk description

X-Infection-Found: Type=0; Resolution=2; Threat=TSPY_ONLINEG.MCS;

X-Response-Desc

Reason Deep Discovery Analyzer considers a URL or file sample as malicious or safe

X-Response-Desc: URL: No risk rating from WRS; FILE: Detected by ATSE

Note:

To enable these headers and configure other ICAP settings, go to Administration > Integrated Products/Services > ICAP.

For details, see Configuring ICAP Settings.

The X-Response-Desc header varies based on the pre-scan result. The following tables describes the X-Response-Desc headers.

Table 1. X-Response-Desc headers: URL

X-Response-Desc Header

Description

No risk rating from WRS

The URL is detected by Web Reputation Services (WRS) and is considered as safe.

Match found in URL exception list

The URL matches an entry in the exception list and is displayed on the Exceptions screen.

No risk rating from VA

The URL is detected by Virtual Analyzer is considered as safe.

Bypass URL scanning in RESPMOD mode

If you select Bypass URL scanning in RESPMOD mode on the ICAP screen, Deep Discovery Analyzer does not scan URLs in RESPMOD mode.

Invalid URL

The URL is detected with an invalid format.

Unable to analyze URL in VA

The URL is not supported in Virtual Analyzer.

Detected by WRS

The URL is detected by WRS and is considered as malicious.

Detected by suspicious objects list

The URL matches an entry in the suspicious objects list.

Detected by user-defined suspicious objects list

The URL matches an entry in the user-defined suspicious objects list.

Detected by VA cache

The URL is already analyzed by Virtual Analyzer and is considered as malicious.

URL submitted to VA

No pre-scan result is available for the URL. Submit the URL sample to Virtual Analyzer for analysis.

Table 2. X-Response-Desc headers: File

X-Response-Desc Header

Description

Match found in file exception list

The file matches an entry in the exception list and is displayed on the Exceptions screen.

No risk rating from VA

The file is detected by Virtual Analyzer is considered as safe.

Unsupported file type in VA

The file is not analyzed by Virtual Analyzer due to one of the following:

  • The file type is not supported in Virtual Analyzer

    For more information on supported file types, see Submission Settings Tab.

  • The file is password protected and cannot be extracted by Virtual Analyzer for analysis

  • Other reasons that Virtual Analyzer is unable to perform the file analysis

Bypass MIME content-type scanning

If you select Enable MIME content-type exclusion and the content-type is in the exclusion list, Deep Discovery Analyzer does not scan the file.

Maximum file size exceeded

The file size has exceeded the maximum (60MB).

Bypass true file type scanning

If you select Enable MIME content-type validation and the file type is in the exclusion list, Deep Discovery Analyzer does not scan the file.

Detected by ATSE

The file is detected by Advanced Threat Scan Engine (ATSE) for Deep Discovery.

Detected by YARA rule

The file matches a YARA rule.

Detected by suspicious objects list

The file matches an entry in the suspicious objects list.

Detected by user-defined suspicious objects list

The file matches an entry in the user-defined suspicious objects list.

Detected by Predictive Machine Learning engine

The file is detected by the Predictive Machine Learning engine.

Detected by VA cache

The file is already analyzed by Virtual Analyzer and is considered as malicious.

File submitted to VA

No pre-scan result is available for the file. Submit the file sample to Virtual Analyzer for analysis.

Detected as password-protected file. Block sample without scanning

If you select Classify samples as password-protected files without scanning on the ICAP screen and the file is password protected, Deep Discovery Analyzer blocks the file without scanning.

Detected as password-protected file. Block non-malicious sample that cannot be extracted

If you select Classify samples with no known risks as password-protected files only if the files cannot be extracted on the ICAP screen, Deep Discovery Analyzer returns this result in the header when the password-protected file is detected with no risk but is not extracted.

The following header example indicates that the file and URL are considered safe.

ICAP/1.0 204 No Content
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: No risk ra
ting from VA
Date: Thu, 16 Apr 2020 07:32:30 GMT

The following header example indicates that Deep Discovery Analyzer returns the HTTP/1.1 403 Forbidden status code because the file is detected by ATSE. The URL is not scanned.

Note:

If you configure the redirect page in the management console, Deep Discovery Analyzer sends the redirect page content after the HTTP 403 Forbidden header.

ICAP/1.0 200 OK
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Virus-ID: TROJ_FRS.0NA103DD20,TROJ_FRS.0NA104DD20 
X-Infection-Found: Type=0; Resolution=2; Threat=TROJ_FRS.0NA103
DD20,TROJ_FRS.0NA104DD20;
X-Response-Desc: URL: Bypass URL scanning in RESPMOD mode; FILE
: Detected by ATSE
Encapsulated: res-hdr=0, res-body=86
Date: Thu, 16 Apr 2020 07:38:01 GMT

HTTP/1.1 403 Forbidden

The following header example indicates that the URL is considered as safe and there is no detection information for the file. The file sample is automatically submitted to Deep Discovery Analyzer for analysis.

ICAP/1.0 204 No Content
Server: Deep Discovery Analyzer 6.8 Build 1165
ISTag: "12.300.1011"
X-Response-Desc: URL: No risk rating from WRS; FILE: File submi
tted to VA
Date: Thu, 16 Apr 2020 07:22:41 GMT