ProxySG access log "s-icap-status" ELFF field

book

Article ID: 170652

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You have edited the access log to populate the "s-icap-status" field and want to know the meaning of the possible values.This value is based on the response from the ICAP server.

Resolution

The possible values for the "s-icap-status" field are:

  • ICAP_NOT_SCANNED -This value is seen in explicit deployments where the https traffic is tunneled int the CONNECT request which the proxy has to detect and hand-off to the correct proxy hence no ICAP scanning is occurring. Also when the resource is denied.

EXAMPLE:

ICAP_NOT_SCANNED 2017-12-12 08:08:07 4 10.91.17.105 TCP_ACCELERATED - - - - safebrowsing.googleapis.com - 10.91.17.3 - none - - - - none - - 10.91.17.3 SG-HTTP-Service

ICAP_NOT_SCANNED 2017-12-12 08:08:07 2 10.91.17.105 TCP_DENIED - - - - safebrowsing.googleapis.com - - - none - - - - none - - 10.91.17.3 SG-HTTP-Service

 

  • ICAP_NO_MODIFICATION - This value is showing in the access log if the ICAP server returned the status os 204 - file is "clean"

EXAMPLE:

ICAP_NO_MODIFICATION 2017-12-12 08:07:28 94 10.91.17.102 TCP_DENIED - - - - www.piriform.com - www.piriform.com - none - - - - none - - 10.91.17.3 SG-HTTP-Service

 

  • ICAP_REPLACED - When the ICAP AV engine detect a malware the access log shows this value. The string REPLACED indicates that an exception page was returned and hence replaced the file requested.

EXAMPLE:

ICAP_REPLACED 2017-12-12 08:11:39 157 10.91.17.102 TCP_DENIED - - - - www.eicar.org - www.eicar.org - none - - - - none - - 10.91.17.3 SG-HTTP-Service

 

  • ICAP_COMMUNICATION_ERROR - Any ICAP 500 error returned to the proxy would populate the s-icap-status field with this value.

EXAMPLE:

ICAP_COMMUNICATION_ERROR 2017-12-12 08:10:07 122 10.91.17.102 TCP_DENIED - untrusted-issuer - - 10.91.3.76 - 10.91.3.76 TLSv1 AES128-SHA 128 10.91.3.76 "none" TLSv1 ECDHE-RSA-AES256-SHA 256 - 10.91.17.3 SG-SSL-Proxy-Service

ICAP 500 errors:

scan_timeout, decode_error, password_protected, insufficient_space, max_file_size_exceeded, max_total_size_exceeded, max_total_files_exceeded, file_extension_blocked, antivirus_load_failure, antivirus_license_expired, antivirus_engine_error, connection_failure, request_timeout, internal_error, server_error, server_unavailable.