F5 with Symantec external antivirus (ICAP protocol)

Yes, ASM is in blocking mode. We tried with Transparent policy, but it didnt block files, only logged it with responce 200 (OK), so we had to change it to Blocking policy. I should add that it sucessfully removes the file from attachment, but it doesn't give user any notification of this. User only gets a message as usual "message sent", and we'd like it to give notification to user about a problem with file.

Alright, do you have an ICAP response header in place? For reference, check here for a similar ICAP setup with another vendor: https://devcentral.f5.com/s/feed/0D51T00006j4c31SAA

 

We changed the virus_header_name to X-Violations-Found and icap_uri to /symcscanreq-av-url as default values are for McAfee.

Not sure if you meant anything else by it?

Yes, ASM is in blocking mode. We tried with Transparent policy, but it didnt block files, only logged it with responce 200 (OK), so we had to change it to Blocking policy. I should add that it sucessfully removes the file from attachment, but it doesn't give user any notification of this. User only gets a message as usual "message sent", and we'd like it to give notification to user about a problem with file.

Alright, do you have an ICAP response header in place? For reference, check here for a similar ICAP setup with another vendor: https://devcentral.f5.com/questions/asm-icap-integration-with-mcafee

We changed the virus_header_name to X-Violations-Found and icap_uri to /symcscanreq-av-url as default values are for McAfee.

Not sure if you meant anything else by it?

Hi, tnx for your answer. Maybe it isn't clear from my first post, but we managed to get antivirus checking on Symantec and blocking them on F5. So we have a basic functionality of the system.

What we would like to achieve is that when a virus is blocked, to have F5 generate a blocking response page for the end user. How to do this is unclear to us.

When a virus is blocked, this is considered a security violation on F5. How can we use this violation to trigger a response page for the use? Maybe it's unimportant, but we're missing Response Status Code which is set to N/A.

Policy in blocking mode (EICAR test virus uploaded):

Policy in transparent mode (response code 200 OK, same file uploaded):

I've looked over F5 Guide for blocking response page, and it just states that we can use default or customized reponse pages. I've checked this Guide

Also, do we need to use iRules for this? I'd be happier without them :)

Regards, Goran

in principle this should just work, if an ASM policy is violated then that page is shown if you didn't make any extreme changes. do you get the blocking page when you violate something else?

your whole policy might be in blocking but what about the specific "Virus detected" setting?

this is set in Blocking section upto 11.6 and (which took me some time to find) from 12.0 here:

Security  ››  Application Security : Policy Building : Learning and Blocking Settings

Hi there, we have never seen a blocking page kicking in (even for critical events, there was just no need for alerting users about it). No extreme changes were made to the configuration. Is it supposed to show up for any policy violation if once turned on? What could be the reason for it not showing up, maybe it is never triggered? Is there more to this in terms of configuring more options?

Setting "Virus detected" is checked for all three options (Learn, Alarm and Block), and policy is indeed in Blocking mode (1st picture in the comment i made above). F5 Guide states that for "Virus detected" we should check only Alarm or Alarm and Block. Maybe this is the reason for not triggering blocking response page, although it would be a bit strange?

I don't have access to our customer's site over the weekend, but I could re-check this on Monday and report back here.

Hi, you need to change these values, because default values are for McAfee AV scanners. Change virus_header_name to X-Violations-Found and icap_uri to /symcscanreq-av-url