You have ProxySG configured to send files to CAS for scanning
In logs you seen file not scanned..x.x..x .mp4
This happens because the SG chunks streamed media (like streamed
mp4s) arbitrarily and in this case sends the chunks to the CAS to scan. We do
not support scanning of streams, so the recommended solution is to configure the SG to not send media streams to CAS.
You can add the following cpl "url.query.regex="\.mp4" to your Miscellaneous ICAP Bypass section in your ICAP Best Practices CPL
::::::::::::::::::::::: Miscellaneous ICAP Bypass :::::::::::::::::::::
; Add miscellaneous sites that are to bypass ICAP scanning
<cache>
condition=ICAP_Misc_Bypass response.icap_service(no)
define condition ICAP_Misc_Bypass
;url.domain=test.com ;bypass scanning based off of url domain
;url.path.suffix="pdf" ;bypass scanning based off of file extension
end condition ICAP_Misc_Bypass
;::::::::::::::::::: END Miscellaneous ICAP Bypass :::::::::::::::::::
Sample ICAP BEST Practices
;:::::::::::::::::::::::::::::::::::::::: ICAP Layer ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;############################################################################################################
;############################################################################################################
;::::::::::::::::::::: START ICAP Best Practices NO-SCAN CPL + Malware Bypass :::::::::::::::::::::
; If Malware Scanning is enabled (Configuration > Threat Protection > Malware Scanning) on your ProxySG,
; your existing ICAP Best Practices are ignored.
; When you enable malware scanning on the ProxySG, it automatically
; adds policy to perform malware scanning for every response
; Therefore this change will also cause Malware scanning overrides ICAP Best Practices.
; By modifying Bypass_BC_Malware_scanning_solution CPL code,
; you can override Malware scanning policy rules and have the ICAP Best ; Practices CPL code effective.
<Cache Bypass_BC_malware_scanning_solution>
policy.Bypass_BC_malware_scanning_solution ; Creates a new layer after the Malware Scanning layers.
define cache policy Bypass_BC_malware_scanning_solution
<Cache Bypass_BC_malware_scanning_solution >
condition=NOICAP condition=ShouldScanHighPerformance response.icap_service(no)
; Bypasses Icap for URLs defined in NOICAP condition. NOICAP condition is part of ICAP Best Practices
end
<Cache>
delete_on_abandonment(yes)
<Proxy>
request.header.User-Agent="ProxyAV" response.icap_feedback.interactive(no)
<Cache>
condition=NOICAP url.scheme=http response.icap_service(no)
define condition MisBehaving_Old_UserAgents
request.header.User-Agent="Winamp"
request.header.User-Agent="NSPlayer"
request.header.User-Agent="RMA"
request.header.User-Agent="ultravox"
request.header.User-Agent="itunes"
request.header.User-Agent="forest"
request.header.User-Agent="Scottrader"
request.header.User-Agent="SVN"
end condition MisBehaving_Old_UserAgents
define condition HTTPv0.9_UserAgents
http.response.version=0.9 condition=MisBehaving_Old_UserAgents
end condition HTTPv0.9_UserAgents
define condition NO_or_LARGE_CONTENT_LENGTH
;note- the following line is correct- do NOT add .* between quotes
response.header.Content-Length=!"" ;true if Content-Length header is not present
response.header.Content-Length=!"^[0-9]{1,8}$" ;>99,999,999
end condition NO_or_LARGE_CONTENT_LENGTH
define condition Bad_response_for_ICAP
condition=NO_or_LARGE_CONTENT_LENGTH
condition=HTTPv0.9_UserAgents
condition=MEDIA_MIME_TYPES
url.domain=//streamerapi.finance.yahoo.com ;
; Yahoos stock ticker problem -15sep06
url.domain=//streamerapi.finance.yahoo.com
url.domain=//stream.aol.com
url.domain=//finance.google.com
; Other streaming media exceptions
url.domain=//youtube.com
url.domain=//pandora.com
end condition Bad_response_for_ICAP
define condition MEDIA_MIME_TYPES
url.extension=flv
url.extension=swf
url.extension=ismc ;MS Smooth Manifest File Extension
url.extension=f4m ;Adobe HDS Manifest File Extension
url.extension=m3u8 ;Apple HLS Manifest File Extension
request.x_header.x-flash-version=""
response.header.Content-Type="video/(x-|)flv"
response.header.Content-Type="video/(x-|)flv"
response.header.Content-Type="video/(x-|)flash"
http.response.data.4.regex.case_sensitive="^CWS[0-9]"
http.response.data.4.regex.case_sensitive="^FWS[0-9]"
response.header.Content-Type="video/"
response.header.Content-Type="application/streamingmedia"
response.header.Content-Type="application/x-streamingmedia"
response.header.Content-Type="application/vnd.rn"
response.header.Content-Type="application/ogg"
response.header.Content-Type="application/x-ogg"
response.header.Content-Type="audio/"
response.header.Content-Type="multipart/x-mixed-replace"
end condition MEDIA_MIME_TYPES
define condition Not_ICAP_response
response.x_header.X-Virus-ID=!"" ;true if X-Virus-ID header is not present
end condition Not_ICAP_response
define condition No_ICAP_Domains
url.domain=windowsupdate.com
url.domain=c.microsoft.com
url.domain=update.microsoft.com
url.domain=windowsupdate.microsoft.com
url.domain=download.windowsupdate.com
end condition No_ICAP_Domains
define condition NOICAP
;Negate ICAP service only if the OCS response is undesirable
condition=Bad_response_for_ICAP condition=Not_ICAP_response condition=No_ICAP_Domains
streaming.client=windows_media
streaming.client=real_media
streaming.client=quicktime
streaming.client=ms_smooth
streaming.client=adobe_hds
streaming.client=apple_hls
end condition NOICAP
; Bypass Apple HLS related traffic
<cache>
streaming.client=windows_media response.icap_service(no)
streaming.client=real_media response.icap_service(no)
streaming.client=quicktime response.icap_service(no)
streaming.client=ms_smooth response.icap_service(no)
streaming.client=adobe_hds response.icap_service(no)
streaming.client=apple_hls response.icap_service(no)
;::::::::::::::::::::: END ICAP Best Practices NO-SCAN CPL + Malware Bypass :::::::::::::::::::::
;############################################################################################################
;############################################################################################################
;::::::::::::::::::::: Miscellaneous ICAP Bypass :::::::::::::::::::::
; Add miscellaneous sites that are to bypass ICAP scanning
<cache>
condition=ICAP_Misc_Bypass response.icap_service(no)
define condition ICAP_Misc_Bypass
;url.domain=test.com ;bypass scanning based off of url domain
;url.path.suffix="pdf" ;bypass scanning based off of file extension
end condition ICAP_Misc_Bypass
;::::::::::::::::::: END Miscellaneous ICAP Bypass :::::::::::::::::::
;############################################################################################################
;############################################################################################################
;:::::::::::::::::::::::::::::::::::::::: END ICAP Layer ::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;############################################################################################################
;############################################################################################################