How to Block a Password Protected Archive in a fail_open ICAP Implementation

book

Article ID: 168842

calendar_today

Updated On:

Products

ProxyAV Software - AVOS Content Analysis Software - CA ProxySG Software - SGOS

Issue/Introduction

Article 000012601 describes why the file is being served. 

 

Cause

The Content Analysis appliance / ProxyAV returned a 500 ICAP server error to the ProxySG appliance if it was a password protected file:
ICAP/1.0 500 Server error
X-Error-Details: File is password protected; File: test.zip; Sub File: ; Vendor: Sophos, Plc.; Engine version: 3.61.0; Pattern version: 5.20.10071973.0; Pattern date: 2015/10/21 05:04:09
X-Error-Code: password_protected
X-Apparent-Data-Types: TXT, ZIP
Service: CAS 1.3.1.1(170722)
Service-ID: avscanner
ISTag: "561E3583"
X-Scan-Progress: complete
Encapsulated: null-body=0
Date: Wed, 21 Oct 2015 06:01:05 GMT

 

Resolution

If there is a need for fail_open, but a requirement to block a password protected archive, create a rule in the Web Access Layer based on the ICAP error code. 

Example:

Destination
  • Set > New > ICAP Respmod Response Header 
  • Header Name: X-Error-Code 
  • Header Regex: password_protected 

Action 
  • Set > Deny (Or create a custom exception page that says "The file is password protected".)