CAS unable to recognize apparent data types


Article ID: 169360


Updated On:


Content Analysis Software - CA


This article takes an example of compressed file (.zip or .7z) Consider a deployment where ProxySG is used in conjunction with CAS appliance and CAS fail to revert with all the apparent data types of the contents inside a compressed file when ProxySG sent the file for scanning. The same applies when performed a test using the utility under CAS [Utilities -> Test -> Select and Scan Test File] The following are the test results for a .7z file that has exe file inside.

ICAP/1.0 204 No modifications needed 
X-Whitelisting-Score: 10 
X-File-Reputation-Score: 0 
X-Apparent-Data-Types: UNKN  <--------------------------  returns UNKN instead of actual file types 
X-ICAP-Metadata: { "file_reputation": 0, "expect_sandbox": false } 
Service: CAS 
Service-ID: avscanner 
ISTag: "58AE4E60" 
Encapsulated: null-body=0 


This is because of file reputation score of the file. While the file is inspected it returns a score of 10, indicating that this is a trusted file. When a return of 10 is encountered, CAS will bypass the remainder of the processing, and return apparent data type.

Note: Refer this article to understand what order the CAS adopts to scan objects: TECH245572


The only current way to stop this behavior is not to use file reputation, as this is what file reputation was designed for (identifying known good vs known bad to accelerate results). If customer cannot disable this feature due to security concerns, they can submit a feature request via SE to consider it in future releases.

Expected scan results (after turning off file reputation) of the same file.

ICAP/1.0 204 No modifications needed 
X-Apparent-Data-Types: UNKN, TXT, ASCII, EXE, JS 
X-ICAP-Metadata: { "expect_sandbox": false } 
Service: CAS 
Service-ID: avscanner 
ISTag: "58AE4F7F" 
Encapsulated: null-body=0