How to enable the Malware Scanning error handling policy in UPE.


Article ID: 220710


Updated On:


Web Security Service - WSS


When WSS policy is managed from the portal, there is an option to exempt Password-Protected Archives from the malware scanning policy.

When the policy source is changed such that the policies are managed from the Management Center this option is removed from the WSS portal. This policy has to be manually configured from the MC.


Management Center used to manage WSS


In order to deploy the same policy from MC, the following config change and policy has to be deployed from the MC.

  1. Change the ICAP scanning policy object fail behavior to “Fail Open” (you can skip this if the fail behavior is already set to Fail Open).

  1. Install the following CPL policy on an existing or a new CPL layer.
#if enforcement=wss

response.icap.error_code=password_protected Allow
response.icap.error_code=any Deny


This CPL layer will allow only the password_protected ICAP error code and block all other ICAP error codes.