Operational Intelligence for MFT

Axway SecureTransport Anti-virus/DLP Scanning: Part 1

Axway SecureTransport is Axway’s enterprise-class hub (MFT) solution for secure file transfer.

SecureTransport allows organizations to control and manage the transfer of files inside and outside of the corporate firewall in support of mission-critical business processes while satisfying policy and regulatory compliance requirements.

To meet your security requirements, SecureTransport can be configured to invoke third-party anti-virus (AV) and Data Loss Prevention (DLP) solutions via an ICAP connection to ensure that virus-infected files will not be allowed into (or out of) your environment and that sensitive information are not sent outside of your organization.

SecureTransport and more

Antivirus scanning is available when SecureTransport is deployed on-premise, in your private or public cloud, and is also an available option with Axway Cloud MFT Service.

The purpose

The purpose of this multi-part blog is to help prospective customers, current customers, consulting resources, and fellow architects understand these capabilities in SecureTransport and how they are configured. I will largely focus on AV scanning, but the configuration and solution behaviors are the same for DLP.

In this first installment of the series, we will cover the capabilities of SecureTransport ICAP integration with third-party Antivirus and DLP software and some details on its configuration.

The second installment will provide details on a simple way to validate and demonstrate that the AV scanning is enabled and working properly.

The third installment will discuss an approach for handling encrypted files, specifically PGP files, for which AV scanning cannot detect a virus without the file being decrypted first.

Detailed configuration instructions for configuring ICAP engines in SecureTransport are provided in the SecureTransport Administrators Guide available here. This blog is not intended to replace the documentation.

How it works

SecureTransport integrates with a third-party Antivirus or DLP server via the ICAP protocol. SecureTransport can be configured to scan incoming files to SecureTransport, outgoing files from SecureTransport, or both. Additionally, various filters can be applied to restrict what files are being scanned.

It is possible to set up multiple ICAP server configurations each with different filter settings to provide granular control of what files will be scanned.

Note that if a particular file matches the criteria for more than one ICAP server, then scanning will be performed for each match in no particular order. However, if a file fails a scan then it will be deleted and removed upon the first unsuccessful scan.

Incoming file transfers are file uploads, AdHoc message creation, and Server-initiated pulls (for example from a Transfer Site or Folder Monitor).

Outgoing file transfers are file downloads, reading of AdHoc messages, and Server-initiated pushes (for example in the Advanced Router step: Send to Partner or Publish to Account).

In the following diagram, step two shows when an Incoming scan would be performed, step four shows where an outgoing scan would be performed, and the scan would occur in both places if the ICAP Server scan type is set to BOTH.

It is important to understand your use cases so that you can adjust the SecureTransport ICAP settings and filters so that redundant or unnecessary scans are not performed.

Anti-virus software test files

To test an AV solution, we must first have a file that will be identified as a virus by our AV software. Fortunately, the European Institute for Computer Antivirus Research (EICAR) has created a file that most AV software will recognize as a virus named eicar.com.

They have also provided this file with a txt extension and in a single level and two-level Zip file to test these variations. Note that even though your AV software may identify these files as a virus and quarantine them, it is not a real virus and will not spread.

It is a 68-character string that the various AV companies have agreed to recognize as a virus signature for testing purposes.

For testing purposes, I downloaded these files from here directly to a Linux server. If you try to download them to your desktop, your corporate AV software may automatically quarantine them. If you have the proper authority, you may be able to temporarily disable your desktop scanning.

The following command can be used to download the virus test file eicar.com using the HTTPS protocol via curl:
curl https://secure.eicar.org/eicar.com –output eicar.com

Download the other test files eicar.com.txt, eicar_com.zip, and eicarcom2.zip by substituting their names in the curl command.

Anti-virus software configuration

Axway SecureTransport (version 5.5) has been tested with the following AV and DLP software but any ICAP compatible software should work.

The Axway and third-party software support section of the SecureTransport Administrators guide located on the Axway documentation site lists the latest tested software.

Software Type Version Details
Symantec DLP DLP 15
McAfee\e DLP DLP 11.4
Symantec Protection Engine for NAS AV 8.1 AVSCAN and AVSCANREQ are supported
McAfee Web Gateway AV

For the examples in this blog, I will be using Symantec Protection Engine AV software version 8.1.
The anti-virus software must be configured to scan for viruses but not to attempt to repair the file if a virus is found. SecureTransport has no mechanism for consuming a repaired file.

Compressed files

Most AV software will also allow you to control whether Zip files are scanned, how many levels deep they are scanned, and how many files within the Zip file are scanned. This capability and its configuration are specific to the third-party AV software you are using.

In this example, we have configured Symantec Protection Engine to scan Zip files down to two levels deep and extract up to six files. This will allow us to test the one and two-level deep compressed test files.

SecureTransport ICAP configuration

First, verify that the ICAPScan package is enabled. In SecureTransport, under Settings, click on TM Settings and search for ICAP. Enable the ICAPScan package.

In SecureTransport, under Settings, click on ICAP Settings and add an ICAP Server if not already configured. Multiple ICAP servers can be configured: there is no limitation. Scanning is performed only by ICAP servers which are enabled.

There is no prioritization — all the servers will be used for scanning files and messages. If a server along the chain returns a negative result from scanning — the transfer will be denied.

A good use case for having multiple ICAP server configurations is you may specify different criteria on when the scanning will be invoked in each configuration. AVSCAN_ICAP1 may be set up to scan only Incoming files when the source protocol is “HTTP” and AVSCAN_ICAP2 may be set up to scan only Outgoing files when a particular flow attribute has been set.

Note that the ICAP server could be the same ICAP server URL — we are just invoking it under different conditions. You would want to be careful though to adjust the ICAP server configuration not to redundantly scan the same file for performance or cost reasons.

You may also have separate ICAP AV and DLP servers and this would also require separate ICAP server configurations.

Basic ICAP settings
• ICAP Server Name
A unique, meaningful name of your choice.
• ICAP server Type
• INCOMING – scanning will be performed by this ICAP server for all Incoming transfers: File upload, AdHoc message creation, Server-initiated pull (for example from a Transfer Site or Folder Monitor)
• OUTGOING – scanning will be performed by this ICAP server for all Outgoing transfers: File download, reading of an AdHoc message, Server-initiated push (for example in the Advanced Router step: Send to Partner or Publish to Account)
• BOTH – scanning will be performed for both inbound and outbound transfers
Enter the ICAP URL in the following format:
The servicename can be the same as the mode of operation – REQMOD or RESPMOD, or something custom and vendor-specific.
For the exact servicename, refer to the Data Loss Prevention (DLP) or Anti-virus (AV) documentation.
The default non-secure ICAP port is 1344 and the default secure ICAP port is 11344.
For Symantec, the ICAP URL I used was:
icap://dlpav-adress:1344/AVSCAN (AVSCANREQ is also supported)
o Use Secure ICAP connection for a secure connection to the ICAP server.
o Select Verify certificate to use certificate verification to secure the connection to the ICAP server.
o Select Enable FIPS Transfer Mode to enable transfers to the ICAP server to be in accordance with the Federal Information Processing Standard (FIPS).
Note: Verify certificate and Enable FIPS Transfer Mode can be selected together or individually depending on the level of security needed for the ICAP server connection.
• Max file size (MB)
The default maximum file size is 10 MB. If the actual file size is larger than the maximum file size, SecureTransport will not send the file to the ICAP server for scanning. In general, the default size should catch the vast majority of viruses that are detectable as virus files typically spread in smaller files.
• Preview Size (KB)
The default preview size is 10 KB. If the ICAP server requires more data, SecureTransport will send it up to the maximum configured file size.

Check with your ICAP vendor on their recommended preview size. This typically serves as a “quick scan” where the AV vendor will compare known virus signatures against the specified Preview Size to quickly trap common viruses.
• Deny file transfer on connection error
If checked, file transfers will be denied if the ICAP server is unreachable so be careful with this setting.
• Enable e-mail notifications on ICAP error
If checked, notification emails will be sent to the specified email address if there is a connection failure to the ICAP server.
• Enable e-mail notifications on ICAP denied
If checked, notification emails will be sent to the specified email address if the file is denied (fails the AV scan) by the ICAP server.
• ICAP scan filtering settings
The settings in this section allow you to control exactly when ICAP scanning will be performed. I will discuss these settings in detail.
• Advanced connection settings
These settings control the connection to the ICAP server including timeouts, retry attempts, retry delay, and enabled ciphers if the ICAP connection is TLS enabled.
• Advanced ICAP settings
o Stop Transfers on Modify or Not Handled
Choose whether or not to stop the transfer if ICAP server returns a MODIFY result or an unhandled status.

o Treat Modify as Block
SecureTransport cannot handle payloads that have been modified by an ICAP server so in most cases it makes sense to have one or both of these options checked but experiment and adjust as needed.

ICAP scan filtering settings
The settings in this section allow you to control exactly when ICAP scanning will be performed.

• Scan Policy Expression
When you select the Scan Policy Expression checkbox, the text box field allows you to enter an expression using SecureTransport Expression Language. If both settings are disabled, scanning will always be performed (contingent upon other settings in the ICAP Server configuration).

Sample usage — do not scan if the transfer is taking place over SSH protocol:
${session.protocol ne ‘ssh’}

Another example…
Another example would be to only perform the scanning for flows for which a custom flow attribute has been defined and set. The following expression would only perform the scanning if the flow attribute “performAVScan” has been set to “Yes.”

${flow.attributes.userVars.performAVScan eq ‘Yes’}

The flow attribute is set at the time the subscription is created in SecureTransport under the user account:

Another example would be to set a custom attribute at the user account level under Additional Attributes which also could be used similarly in the Scan Policy Settings.

Refer to the SecureTransport Administration Guide for the complete list of available expressions.

• Perform scanning only if there is a partner recipient
This setting is only applicable to AdHoc transfers. Refer to the SecureTransport Administration Guide for details.

• Scan without BU
When checked, ICAP scanning will be enabled for user accounts with no Business Unit assigned.

• Ignored File Types
Enter a list of file extensions, separated by commas. Files with these extensions will not be scanned.

As of the time of this blog, there is a little glitch in the UI — when Scan Policy Expression has checked the Scan Without BU and Ignored File Types can’t be selected or edited.

The temporary workaround is to follow this sequence: uncheck Scan Policy Expression, check Scan Without BU if desired, edit the Ignored File Types if desired, check Scan Policy Expression and enter the desired scan expression and then all options can be used concurrently as shown below.

All the settings under ICAP server configuration work concurrently and each parameter can be considered as ANDed to every other parameter.

For example, if you have the ICAP Server Type parameter set to “INCOMING” and the Ignored File Types set to “pgp, asc” and the Scan Policy Expression set to ${flow.attributes.userVars.performAVScan eq ‘Yes’} then scanning will only be performed on Incoming files where the file extension is not pgp or asc and a Flow attribute performAVScan has been created and set to “Yes.” If any of these conditions are not met then scanning will not be performed.

And remember you can create multiple ICAP Server configurations each with different criteria. A file will be scanned by each ICAP Server whose configuration and filter settings are met in no particular order until a scan fails and then the file is rejected.

In our next installment, we will cover a simple way to validate that AV scanning is working.

Learn more about Axway Managed File Transfer.