CAS unable to recognize apparent data types

book

Article ID: 169360

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

This article takes an example of compressed file (.zip or .7z) Consider a deployment where ProxySG is used in conjunction with CAS appliance and CAS fail to revert with all the apparent data types of the contents inside a compressed file when ProxySG sent the file for scanning. The same applies when performed a test using the utility under CAS [Utilities -> Test -> Select and Scan Test File] The following are the test results for a .7z file that has exe file inside.

ICAP/1.0 204 No modifications needed 
X-Whitelisting-Score: 10 
X-File-Reputation-Score: 0 
X-Apparent-Data-Types: UNKN  <--------------------------  returns UNKN instead of actual file types 
X-ICAP-Metadata: { "file_reputation": 0, "expect_sandbox": false } 
Service: CAS 1.3.7.3(195887) 
Service-ID: avscanner 
ISTag: "58AE4E60" 
Encapsulated: null-body=0 
 

Cause

This is because of file reputation score of the file. While the file is inspected it returns a score of 10, indicating that this is a trusted file. When a return of 10 is encountered, CAS will bypass the remainder of the processing, and return apparent data type.

Note: Refer this article to understand what order the CAS adopts to scan objects: TECH245572

Resolution

The only current way to stop this behavior is not to use file reputation, as this is what file reputation was designed for (identifying known good vs known bad to accelerate results). If customer cannot disable this feature due to security concerns, they can submit a feature request via SE to consider it in future releases.

Expected scan results (after turning off file reputation) of the same file.

ICAP/1.0 204 No modifications needed 
X-Apparent-Data-Types: UNKN, TXT, ASCII, EXE, JS 
X-ICAP-Metadata: { "expect_sandbox": false } 
Service: CAS 1.3.7.3(195887) 
Service-ID: avscanner 
ISTag: "58AE4F7F" 
Encapsulated: null-body=0