How to prevent sending HTTP responses greater than 100MB for AV scanning
Article ID: 393854
Updated On:
Products
Issue/Introduction
Cloud SWG malware scanning has a limit of 100MB.
Any files greater than this limit will generate an icap error code of 'max_file_size_exceeded' and the Cloud SWG Admin can allow or block access based on this error code.
As a best practice, the Cloud SWG admin wants to configure UPE policy that prevents files greater than 100MB from being sent to malware scanning service.
What CPL should be added to make sure that we avoid sending objects greater than scanning limit to malware service and increase performance?
Environment
Cloud SWG.
Malware scanning.
UPE policy.
Resolution
As a best practice, the Cloud SWG admin defines a policy blocking users accessing files greater than 100MB unless you are part of a "File Size Exceeded Bypass List" exception group.
;; Tab: [ICAP Error Actions]
<Proxy>
condition="File Size Exceeded Bypass List" response.icap.error_code=(max_file_size_exceeded) Allow ; Rule 1 ; Allow specific destinations to bypass AV scanning when the file size exceeds the CAS configured Maximum
:
response.icap.error_code=(any) force_exception() ; Deny all other ICAP Errors returned by CAS
In order to prevent files greater than 100MB from being even sent to the malware service, an additional check based on the HTTP Content-length response header could be used. The following condition could be added to make sure that no files greater than 100MB would be sent for scanning in the first place.
response.header.Content-Length.as_number=104857600..18446744073709551615 response.icap_service(no)
Note: It is possible that a response including an object greater than 100MB, but without a Content-length, is returned. This will result in the fist 100MB being sent to the malware service for scanning, before the service detects that that it exceeds the maximum file size of 100MB and triggers the max_file_size_exceeded icap error code.
Additional Information
From the object below, the Content-length header is greater than 100MB and this object by default would still be sent to CAS for UPE managed tenants.
< HTTP/1.1 200 OK
< Date: Wed, 09 Apr 2025 09:15:35 GMT
< Content-Type: application/zip
< Content-Length: 136569131
< Connection: keep-alive
< last-modified: Fri, 24 Jan 2025 12:46:56 GMT
Anything that gets sent to CAS in the Cloud that exceeds 100MB will trigger an icap error code of max_file_size_exceeded.
If we want to prevent additional overhead of sending response object to malware service that will not be scanned, the logic in the resolution section could be applied.
Feedback
