The %SUBFILE message in "ICAP header X-Virus-Details" messages change for each AV vendor.

book

Article ID: 168778

calendar_today

Updated On:

Products

Mobile App Risk Detection Content Analysis Software - CA

Issue/Introduction

Content Analysis has a template message that will be triggered by an alert. The message in this template contains a variable called "%SUBFILE". This variable should show the path of the file, however this depends on the AV vendor. Each vendor will generate a different path file.

Cause

In the Content Analysis management console, go to Settings > Alerts > Messages and select ICAP header X-Virus-Details. Find the following entry:

Virus: %VIRUS; File: %FILE; Sub File: %SUBFILE; Vendor: %AVVENDOR; Engine version: %AVENGINEVERS; Pattern version: %AVPATTERNVERS; Pattern date: %AVPATTERNDATE

The %SUBFILE variable will provide a value that depends on the AV vendor, so it is not the same.

For example:

When using McAfee:
%SUBFILE = "inbound file/eicar_com.zip/eicar.com"

When using Kaspersky:
%SUBFILE = "//C:\Users\Downloads\eicar_com.zip//eicar.com"

When using Sophos:
%SUBFILE = "BUFFER/C:\Users\Downloads\eicar_com.zip/Embed0003/eicar.com"

Resolution


This is an expected behavior or by design.

Workaround

None.