(Available in Advanced Security Module in EFT Enterprise) The Content Integrity Control Action is used to send a file to an antivirus or data loss prevention scanner for processing. When this Action is added, a file that triggers the Event Rule is sent to an ICAP server for scanning. When the file passes the scan, other Actions can occur, such as moving the file to another location. If the file fails the scan, processing can stop, or other Actions can occur, such as sending an email notification.
You can create a custom CIC profile as you need it, as described below. To create reusable profiles, refer to Content Integrity Control Tab of a Server. See also Sending Files to an Antivirus or DLP Server.
Using the CIC Action with encrypted files will not return an accurate result. Copy/move the files to a folder that is not encrypted to process with the ICAP server.
To scan a file using the Content Integrity Control Action
Create a new Event Rule.
Add relevant Conditions.
Add the Content Integrity Control Action.
In the Action, click either of the underlined/linked items. The Content Integrity Control dialog box appears.
Select a predefined profile, or define the properties for a custom CIC profile as described below.
CIC profile - If you are using a defined profile, click the drop-down list to select it; otherwise, select <Custom>.
File Path - Physical location of the file to send to the ICAP server; %FS.PATH% is the default. You can specify another variable or drive and UNC paths. Wildcards are unsupported.
% - Click the drop-down list if you want to specify other context variables:
Host, Path, Port - These settings depend on settings in the antivirus or DLP (ICAP) server.
The Host field cannot be blank.
By default, the port is set to 1344.
Mode - Specify one of the following:
Request modification (REQMOD) - - Request modification mode: Embeds file contents in an HTTP PUT request body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded request, or a new HTTP response. The ICAP response will depend on your ICAP server’s implementation.
Response modification (RESPMOD) - Response modification mode: Embeds file contents in an HTTP 200 OK response body, which is then sent in the body of an ICAP request to the server. The ICAP server may respond with a modified version of the embedded response. The ICAP response will depend on your ICAP server’s implementation.
Limit scans to first - (Optional) Specify the number of bytes to scan. Some antivirus solutions only require a subset of a file's contents to test against their database of malware signatures. To keep from transferring large files in their entirety when we only need the first X bytes, you can specify how many bytes are sent to the ICAP server. When this check box is cleared, the entire file is transferred to the ICAP server. If the file is smaller than the Max scan size, the entire file will be transferred for scanning.
Test Connection - After you specify the connection to the ICAP server, test the connection. If connection fails, verify these settings match the settings defined in the antivirus or DLP solution.
Text in ICAP response headers - (Optional) Specify text to search for in the ICAP response header.
Text in ICAP response body - (Optional) Specify text to search for in the ICAP response body text.
Treat any violation as non-blocking (audit and continue) - Leave this check box cleared if you want violations to stop processing.
Always audit these ICAP response "X-" headers - (Optional) Specify “X-“ headers for auditing using ARM. If this option is enabled and no “X-“ headers are specified, all “X-“ headers will be audited. Use semicolons between multiple items. Note this check box only affects whether the specified headers are audited by ARM, regardless of success or failure.
Click OK to save the changes in the Event Rule. The name of the profile appears in the Event Rule Action.