Cloud SWG setup managed via UPE where malware policies defined

• one cache layer includes a condition for bypassing scanning for certain domains, with all other domains sent for scanning
• one proxy layer checking for various ICAP error conditions and allowing/blocking based on these

Users accessing only training videos from workday would see icap_errors when videos were lengthy in nature e.g. greater than 30 minutes. The error page rendered to user was a Cloud SWG error page.

Cloud SWG admin confirmed from the Cloud SWG access logs reported an custom_icap_error verdict when all users reported the issue.

Assuming large files was culprit (and malware policy had a block max_file_size_exceeded icap response code), users needing access to these videos were added to a 'File Size Exceeded Bypass List'.

Despite this bypass, users still reported ICAP errors.

Cloud SWG.

Malware policies applied via UPE.

Malware ICAP error handling layer had a condition that was completely independent of malware.

Avoid adding rules in ICAP error handling layer that are independent of ICAP responses, or create a separate user defined error page for non ICAP errors.

In the above example, the ICAP error actions layer included various rules for handling the ICAP error_codes returned, but (Rule 10) has a condition checking for file lengths greater than 100 and sending an ICAP error back.

;; Tab: [ICAP Error Actions]
<Proxy>
    #if enforcement=wss
    condition="File Size Exceeded Bypass List" response.icap.error_code=(max_file_size_exceeded) Allow    ; Rule 1    ; Allow specific destinations to bypass AV scanning when the file size exceeds the CAS configured Maximum
    condition="File Size Exceeded List" Allow    ; Rule 2    ; Allow any file downloads from URLs that don't have a content size header.
    condition="Password Protected URLs Allowed" response.icap.error_code=(password_protected) Allow    ; Rule 3    ; Allow ProxySG to server content that is password protected for sites specified in the Destination column
:
    response.icap.error_code=(any) force_exception(user-defined.Cust_icap_error)    ; Rule 9    ; Deny all other ICAP Errors returned by CAS
:
    response.header.Content-Length="^[0-9]{9,}$" force_exception(user-defined.Cust_icap_error,"<p><b>Requested Resource Blocked</b></p>    <p>Maximum File Size 100MB Exceeded</p>   <p>Enhanced security controls “Please select the type of request required” select <b>Large File Downloads </b>from the drop down list. </p>")    ; Rule 10    ; Block all file downloads of 100MB and Over where there is a content header size set and so doesn't get sent to CAS.
    #endif

To prevent changes to the various layers, and minimise changes to current policy, the Rule 2 above was modified to address the issue. This layer checked for to see whether object being accessed was in an existing File Size Exceeded Bypass List AND whether Content-length responses of greater 100MB, and if so ALLOW the request through - adding the domain videos were downloaded from into the File Size Exceeded Bypass List (see below) fixed the issue.

;; Description: 
define condition "__CondList1File Size Exceeded List"
    condition="File Size Exceeded Bypass List"
end condition "__CondList1File Size Exceeded List"

define condition "__CondList2File Size Exceeded List"
    response.header.Content-Length="^[0-9]{9,}$"
end condition "__CondList2File Size Exceeded List"

define condition "File Size Exceeded List"
    condition="__CondList1File Size Exceeded List"        condition="__CondList2File Size Exceeded List"
end condition "File Size Exceeded List"