Stop MP4 files from being sent to MAA

Article Id: 171061
Status: Published
Updated On: 12-05-2018 15:38
Legacy Id: TECH249349
Products:
SG-300 , SG-9000 , SG-S500 , SG-S400 , SG-S200 , SWG VA-100
Issue/Introduction:

You have ProxySG configured to send files to CAS for scanning

 

In logs you seen file not scanned..x.x..x .mp4

Cause:

This happens because the SG chunks streamed media (like streamed 
mp4s) arbitrarily and in this case sends the chunks to the CAS to scan. We do 
not support scanning of streams, so the recommended solution is to configure the SG to not send media streams to CAS. 

Resolution:

You can add the following cpl  "url.query.regex="\.mp4" to your Miscellaneous ICAP Bypass section in your ICAP Best Practices CPL

 

::::::::::::::::::::::: Miscellaneous ICAP Bypass :::::::::::::::::::::
; Add miscellaneous sites that are to bypass ICAP scanning

<cache>
condition=ICAP_Misc_Bypass response.icap_service(no)

define condition ICAP_Misc_Bypass
;url.domain=test.com   ;bypass scanning based off of url domain
;url.path.suffix="pdf" ;bypass scanning based off of file extension
end condition ICAP_Misc_Bypass

;::::::::::::::::::: END Miscellaneous ICAP Bypass :::::::::::::::::::

 

 

Sample ICAP BEST Practices

;:::::::::::::::::::::::::::::::::::::::: ICAP Layer ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;############################################################################################################
;############################################################################################################


;::::::::::::::::::::: START ICAP Best Practices NO-SCAN CPL + Malware Bypass :::::::::::::::::::::

; If Malware Scanning is enabled (Configuration > Threat Protection > Malware Scanning) on your ProxySG, 
; your existing ICAP Best Practices are ignored.
; When you enable malware scanning on the ProxySG, it automatically 
; adds policy to perform malware scanning for every response 
; Therefore this change will also cause Malware scanning overrides ICAP Best Practices.
; By modifying Bypass_BC_Malware_scanning_solution CPL code, 
; you can override Malware scanning policy rules and have the ICAP Best ; Practices CPL code effective.

 


<Cache Bypass_BC_malware_scanning_solution> 
policy.Bypass_BC_malware_scanning_solution ; Creates a new layer after the Malware Scanning layers. 

define cache policy Bypass_BC_malware_scanning_solution 
<Cache Bypass_BC_malware_scanning_solution > 
condition=NOICAP condition=ShouldScanHighPerformance response.icap_service(no) 
; Bypasses Icap for URLs defined in NOICAP condition. NOICAP condition is part of ICAP Best Practices 
end 


<Cache> 
delete_on_abandonment(yes) 
<Proxy> 
request.header.User-Agent="ProxyAV" response.icap_feedback.interactive(no) 
<Cache> 
condition=NOICAP url.scheme=http response.icap_service(no) 

define condition MisBehaving_Old_UserAgents 
request.header.User-Agent="Winamp" 
request.header.User-Agent="NSPlayer" 
request.header.User-Agent="RMA" 
request.header.User-Agent="ultravox" 
request.header.User-Agent="itunes" 
request.header.User-Agent="forest" 
request.header.User-Agent="Scottrader" 
request.header.User-Agent="SVN" 
end condition MisBehaving_Old_UserAgents 

define condition HTTPv0.9_UserAgents 
http.response.version=0.9 condition=MisBehaving_Old_UserAgents 
end condition HTTPv0.9_UserAgents 

define condition NO_or_LARGE_CONTENT_LENGTH 
;note- the following line is correct- do NOT add .* between quotes 
response.header.Content-Length=!"" ;true if Content-Length header is not present 
response.header.Content-Length=!"^[0-9]{1,8}$" ;>99,999,999 
end condition NO_or_LARGE_CONTENT_LENGTH 

define condition Bad_response_for_ICAP 
condition=NO_or_LARGE_CONTENT_LENGTH 
condition=HTTPv0.9_UserAgents 
condition=MEDIA_MIME_TYPES 
url.domain=//streamerapi.finance.yahoo.com ; 
; Yahoos stock ticker problem -15sep06 
url.domain=//streamerapi.finance.yahoo.com 
url.domain=//stream.aol.com 
url.domain=//finance.google.com 
; Other streaming media exceptions 
url.domain=//youtube.com 
url.domain=//pandora.com 
end condition Bad_response_for_ICAP 

define condition MEDIA_MIME_TYPES 
url.extension=flv 
url.extension=swf 
url.extension=ismc  ;MS Smooth Manifest File Extension
url.extension=f4m   ;Adobe HDS Manifest File Extension
url.extension=m3u8  ;Apple HLS Manifest File Extension
request.x_header.x-flash-version="" 
response.header.Content-Type="video/(x-|)flv" 
response.header.Content-Type="video/(x-|)flv" 
response.header.Content-Type="video/(x-|)flash" 
http.response.data.4.regex.case_sensitive="^CWS[0-9]" 
http.response.data.4.regex.case_sensitive="^FWS[0-9]" 
response.header.Content-Type="video/" 
response.header.Content-Type="application/streamingmedia" 
response.header.Content-Type="application/x-streamingmedia" 
response.header.Content-Type="application/vnd.rn" 
response.header.Content-Type="application/ogg" 
response.header.Content-Type="application/x-ogg" 
response.header.Content-Type="audio/" 
response.header.Content-Type="multipart/x-mixed-replace" 
end condition MEDIA_MIME_TYPES 

define condition Not_ICAP_response 
response.x_header.X-Virus-ID=!"" ;true if X-Virus-ID header is not present 
end condition Not_ICAP_response 

define condition No_ICAP_Domains 
url.domain=windowsupdate.com 
url.domain=c.microsoft.com 
url.domain=update.microsoft.com 
url.domain=windowsupdate.microsoft.com 
url.domain=download.windowsupdate.com 
end condition No_ICAP_Domains 

define condition NOICAP 
;Negate ICAP service only if the OCS response is undesirable 
condition=Bad_response_for_ICAP condition=Not_ICAP_response condition=No_ICAP_Domains 
streaming.client=windows_media
streaming.client=real_media 
streaming.client=quicktime 
streaming.client=ms_smooth 
streaming.client=adobe_hds 
streaming.client=apple_hls 
end condition NOICAP 

; Bypass Apple HLS related traffic
<cache>
streaming.client=windows_media response.icap_service(no)
streaming.client=real_media response.icap_service(no)
streaming.client=quicktime response.icap_service(no)
streaming.client=ms_smooth response.icap_service(no)
streaming.client=adobe_hds response.icap_service(no)
streaming.client=apple_hls response.icap_service(no)

;::::::::::::::::::::: END ICAP Best Practices NO-SCAN CPL + Malware Bypass :::::::::::::::::::::
;############################################################################################################
;############################################################################################################

;::::::::::::::::::::: Miscellaneous ICAP Bypass :::::::::::::::::::::
; Add miscellaneous sites that are to bypass ICAP scanning

<cache>
condition=ICAP_Misc_Bypass response.icap_service(no)

define condition ICAP_Misc_Bypass
;url.domain=test.com   ;bypass scanning based off of url domain
;url.path.suffix="pdf" ;bypass scanning based off of file extension
end condition ICAP_Misc_Bypass

;::::::::::::::::::: END Miscellaneous ICAP Bypass :::::::::::::::::::

;############################################################################################################
;############################################################################################################
;:::::::::::::::::::::::::::::::::::::::: END ICAP Layer ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;############################################################################################################
;############################################################################################################