ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

The %SUBFILE message in "ICAP header X-Virus-Details" messages change for each AV vendor.


Article ID: 168778


Updated On:


Mobile App Risk Detection Content Analysis Software - CA


Content Analysis has a template message that will be triggered by an alert. The message in this template contains a variable called "%SUBFILE". This variable should show the path of the file, however this depends on the AV vendor. Each vendor will generate a different path file.


In the Content Analysis management console, go to Settings > Alerts > Messages and select ICAP header X-Virus-Details. Find the following entry:

Virus: %VIRUS; File: %FILE; Sub File: %SUBFILE; Vendor: %AVVENDOR; Engine version: %AVENGINEVERS; Pattern version: %AVPATTERNVERS; Pattern date: %AVPATTERNDATE

The %SUBFILE variable will provide a value that depends on the AV vendor, so it is not the same.

For example:

When using McAfee:
%SUBFILE = "inbound file/"

When using Kaspersky:
%SUBFILE = "//C:\Users\Downloads\"

When using Sophos:
%SUBFILE = "BUFFER/C:\Users\Downloads\"


This is an expected behavior or by design.