ICAP error 0x80070057 returned when Kaspersky enhanced scanning is enabled

book

Article ID: 169248

calendar_today

Updated On:

Products

Content Analysis Software - CA Advanced Secure Gateway Software - ASG

Issue/Introduction

The Kaspersky AV engine allows customers to enable certain enhanced scanning features, these are configurable from the CAS GUI

Services -> AV Scanning Behavior - > Engine Settings

Enabling these features may cause certain web sites to fail to load.


 

ICAP Error (icap_error)

An error occurred while performing an ICAP operation: Anti-virus engine error (26:0x80070057); File: noname; Sub File: ; Vendor: Kaspersky Labs; Engine version 8.2.5.17; Pattern version: 180720.133800.11863587; Pattern date: 2018/07/20 13:38:00

For assistance, contact your network support team. 

Cause

The error is caused by the website returning non-RFC2616 characters in response headers.

This is not obvious from a pcap

User-added image

But is easy to see in a browsers developer tools

User-added image
 

Environment

Content Analysis System running CAS 1.3 - 2.3.5.2

Advanced Secure Gateway running SGOS 6.6 - 6.7.4.8

Resolution

This issue is first addressed in CAS 2.4.1.1 and above as well as ASG 6.7.4.9 and above.
 

Workaround

There are a few workarounds to address this concern:

  1. Disable the "Enhanced Scanning". This setting is located under Services -> AV Scanning Behavior -> Kaspersky Options
  2. On the proxy appliance disable ICAP for the resource hosting the file so it's not sent to the CAS appliance for AV scanning

Alternatively contacting the administrator of the web site and asking that they not use non RFC complaint characters in the headers will resolve the issue.
 

Attachments