Configuration Parameters

In this section

Component Parameters

Rules for Traffic Monitoring and Blocking of Access

The component uses configuration parameters which can be found in the [ICAPD] section of the integrated configuration file of Dr.Web for UNIX Internet Gateways.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Executable path to the component.

Default value: <opt_dir>/bin/drweb-icapd.

For GNU/Linux: /opt/drweb.com/bin/drweb-icapd.

For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-icapd

RunAsUser

{UID | user name}

The parameter determines the user on behalf of which user the component shoud be run. You can specify either the user's UID or login. If the login consists of numbers and cannot be distinguished fro, the UID, it is preceded with the “name:” prefix, for example: RunAsUser = name:123456.

If the username is not specified, the component terminates with an error after the startup.

Default value: drweb

Start

{Boolean}

Launch/do not launch the component by the Dr.Web ConfigD configuration daemon.

When you specify the Yes value for this parameter, it the configuration daemon will start the component immediately; and when you specify the No value, the configuration daemon will terminate the component immediately.

Default value: No

DebugDumpIcap

{Boolean}

Include detailed ICAP messages into the log file on the debug level (i.e. when you set LogLevel = DEBUG).

Default value: No

ListenAddress

{network socket}

Specifies the network socket (IP address and port) on which Dr.Web ICAPD listens for connections from HTTP proxy servers.

Default value: 127.0.0.1:1344

UsePreview

{Boolean}

Enable/disable the ICAP preview mode.

Do not change the default value of this parameter, unless it is necessary.

Default value: Yes

Use204

{Boolean}

Return the response code 204 if ICAP preview mode is not enabled.

Do not change the default value of this parameter, unless it is necessary.

Default value: Yes

AllowEarlyResponse

{Boolean}

Enable the ICAP early response mode, i.e. allow Dr.Web ICAPD to send the response to the client before the entire request has been received from the HTTP proxy server.

Do not change the default value of this parameter, unless it is necessary.

Default value: Yes

TemplatesDir

{path to directory}

Path to the directory that contains the templates for the HTML notifications sent upon blocking a web resource.

Default value: <var_dir>/templates/icapd.

For GNU/Linux: /var/opt/drweb.com/templates/icapd.

For FreeBSD: /var/drweb.com/templates/icapd

Whitelist

{domain list}

White list of domains. The domains (as well as their subdomains) included in this list will always be accessible to users even if included in unwanted resource list.

The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list of domains example.com and example.net.

1.Adding values to the configuration file.

Two values per line:

[ICAPD]
Whitelist = "example.com", "example.net"

Two lines (a value per line):

[ICAPD]
Whitelist = example.com
Whitelist = example.net

2.Adding values via the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Whitelist -a example.com
# drweb-ctl cfset ICAPD.Whitelist -a example.net

Note

Actual usage of the domain list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to domains (and their sub domains) from this list will be provided even if it contains domains from the list of blocked web source categories. Besides, this default set of rules guarantees that data downloaded from the white list domains will be scanned for threats.

Default value: (not set)

Blacklist

{domain list}

Black list of domains. The domains (as well as their subdomains) included in this list will always be accessible to users even if included in unwanted resource list.

The values in the list are separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list of domains example.com and example.net.

1.Adding values to the configuration file.

Two values in a line:

[ICAPD]
Blacklist = "example.com", "example.net"

Two lines (a value per line):

[ICAPD]
Blacklist = example.com
Blacklist = example.net

2.Adding values via the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Blacklist -a example.com
# drweb-ctl cfset ICAPD.Blacklist -a example.net

Note

Actual usage of the domain list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to domains (and their sub-domains) from this list will be always forbidden. If this domain is simultaneously added to the lists Whitelist and Blacklist, the default rules guarantee that user access to it will be blocked.

Default value: (not set)

Adlist

{list of strings}

A list of regular expressions that describe advertisement URLs: URL that matches any of the regular expressions listed here is considered to be an advertisement URL.

The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list the following expressions '.*ads.+' and '.*/ad/.*\.gif$'.

1.Adding values to the configuration file.

Two values in a line:

[ICAPD]
Adlist = ".*ads.+", ".*/ad/.*\.gif$"

Two lines (a value per line):

[ICAPD]
Adlist = .*ads.+
Adlist = .*/ad/.*\.gif$

2.Adding values via the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Adlist -a '.*ads.+'
# drweb-ctl cfset ICAPD.Adlist -a '.*/ad/.*\.gif$'

Regular expressions are specified using either the POSIX syntax (BRE, ERE) or the Perl syntax (PCRE, PCRE2).

Note

Actual usage of the expression list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to URL from this list will be always forbidden only if domains of these URLs are not in Whitelist.

Default value: (not set)

BlockInfectionSource

{Boolean}

Block connections attempts to websites containing malicious software (included into the InfectionSource category).

To activate blocking, the following rule should be added to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockNotRecommended

{Boolean}

Block connection attempts to non-recommended websites (included into the NotRecommended category).

To activate blocking, the following rule should be added to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockAdultContent

{Boolean}

Block connection attempts to websites containing adult content (included into the AdultContent category).

To activate blocking, the following rule should be added to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockViolence

{Boolean}

Block connection attempts to websites containing graphic violence (included into the Violence category).

To activate blocking, the following rule should be added to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockWeapons

{Boolean}

Block connection attempts to websites dedicated to weapons (included into the Weapons category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockGambling

{Boolean}

Block connection attempts to gambling websites (included into the Gambling category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockDrugs

{Boolean}

Block connection attempts to websites dedicated to drugs (included into the Drugs category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockObsceneLanguage

{Boolean}

Block connection attempts to websites containing obscene language (included into the ObsceneLanguage category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockChats

{Boolean}

Block connection attempts to chat websites (included into the Chats category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockTerrorism

{Boolean}

Block connection attempts to websites dedicated to terrorism (included into the Terrorism category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockFreeEmail

{Boolean}

Block connection attempts to websites of free email services (included into the FreeEmail category).

To activate blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockSocialNetworks

{Boolean}

Block connection attempts to social networking websites (included into the SocialNetworks category).

To enable blocking, the following rule should be added to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockDueToCopyrightNotice

{Boolean}

Block connection attempts to websites that were added according to copyright holder requests (included into the DueToCopyrightNotice category).

To enable blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockOnlineGames

{Boolean}

Block connection attempts to Online games websites (included into OnlineGames category).

To enable blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockAnonymizers

{Boolean}

Block connection attempts to anonymizers (included into Anonymizers category).

To enable blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockCryptocurrencyMiningPools

{Boolean}

Block connection attempts to websites providing an access to common services for cryptocurrencies mining (included into CryptocurrencyMiningPool category).

To enable blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockJobs

{Boolean}

Block connection attempts to job search websites (included into Jobs category).

To enable blocking, add the following rule to the settings (see the details below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

ScanTimeout

{time interval}

Time-out for scanning one file initiated by Dr.Web ICAPD.

Acceptable values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

HeuristicAnalysis

{On | Off}

Enable/disable heuristic analysis for detection of unknown threats during. The use of heuristic analysis raises the level of protection, but increases the duration of scanning.

Action applied to threats detected by the heuristic analyzer is specified as the BlockSuspicious parameter value.

Allowed values:

On—enable heuristic analysis;

Off—disable heuristic analysis.

Default value: On

PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects. etc. he value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

ArchiveMaxLevel

{integer}

Maximum nesting level for archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

MailMaxLevel

{integer}

Maximum nesting level for files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

ContainerMaxLevel

{integer}

Maximum nesting level for other types of objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

MaxCompressionRatio

{integer}

Maximum compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio for an object exceeds the limit, this object is skipped during data scanning initiated by Dr.Web ICAPD.

The compression ratio must not be smaller than 2.

Default value: 500

BlockKnownVirus

{Boolean}

Block either incoming or outgoing data containing known threats.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockSuspicious

{Boolean}

Block either incoming or outgoing data containing unknown threats (detected by the heuristic analyzer).

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockAdware

{Boolean}

Block either incoming or outgoing data containing adware.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockDialers

{Boolean}

Block either incoming or outgoing data containing dialer programs.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockJokes

{Boolean}

Block either incoming or outgoing data containing joke programs.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockRiskware

{Boolean}

Block either incoming or outgoing data containing riskware.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockHacktools

{Boolean}

Block either incoming or outgoing data containing hacktools.

To enable blocking, add the following rule to the settings (see the details below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockUnchecked

{Boolean}

Block either incoming or outgoing data that cannot be scanned.

Default value: No

MessageHook

{path to file | Lua function}

Script for processing HTTP messages in Lua or path to the file containing the script (see the HTTP Messages Processing in Lua section).

If the Lua function or the file path are not specified, the messages will be processed in accordance with the rules. If the specified file is not available, the component launch will return an error.

Default value: Generated automatically. For default settings, the script looks as following:

local dw = require "drweb"
local cfg = require "drweb.config"
local dwl = require "drweb.lookup"
local rx = require "drweb.regex"

function message_hook(ctx)
  if ctx.direction == "request" then
    local url = ctx.request.url
    if url.in_list(cfg.blacklist) then
      return "block"
    end
    if not url.in_list(cfg.whitelist) then
      if rx.search(cfg.adlist, url) or rx.search(cfg.adlist, url.raw) then
          return "block"
      end
      if url.in_categories(cfg.block_url_categories) then
          return "block"
      end
    end
  end
  if ctx.body.has_threat{category = cfg.block_threats} then
    return "block"
  end
  if cfg.block_unchecked and ctx.body.scan_error then
    return "block"
  end
  return "pass"
end

Rules for Traffic Monitoring and Blocking of Access

In addition to the parameters listed above, section also contains seven sets of rules RuleSet* (RuleSet0, …, RuleSet6) which control directly traffic scanning and blocking of access of the users to web resources and blocking downloading content from the internet. For some values in conditions (for example, IP address ranges, lists of website categories, black and white lists of web sources, and so on), there is a substitution of values loaded from text files and also extracted from external data sources via LDAP (Dr.Web LookupD component is used). When configuring connections all rules are checked in the ascending order, until the rule containing the ultimate resolution is found. The gaps in the rule list are ignored.

The rules are described in detail in section Rules for Traffic Monitoring of Appendix D.

Viewing and editing the rules

For easy editing of the rules list gaps are left, i.e. RuleSet<i> sets that do not contain rules (<i>RuleSet rule set number). Note that you cannot add the items other than RuleSet<i>, but you can add and to remove any rule in any element of RuleSet<i>. Viewing and editing rules can be performed in any of the following ways:

by viewing and editing the configuration file configuration file (in any text editor) (note that this file stores only those parameters which value is different from the default ones);

via the web management interface (if installed).

via the command-line-based interface—Dr.Web Ctl (drweb-ctl cfshow and drweb-ctl cfset commands).

If you edited the rules and made changes in the configuration file, in order to apply these changes, restart Dr.Web for UNIX Internet Gateways. To do that, use the drweb-ctl reload command.

Use the drweb-ctl cfshow command to view rules.

To view the contents of the rules set ICAPD.RuleSet1, use the command:

# drweb-ctl cfshow ICAPD.RuleSet1

The use of the drweb-ctl cfset command to edit the rules (hereinafter the <rule>—text of the rule).

Replacing all the rules in a set ICAPD.RuleSet1 with a new rule:

# drweb-ctl cfset ICAPD.RuleSet1 '<rule>'

Adding a new rule to the rule set ICAPD.RuleSet1:

# drweb-ctl cfset -a ICAPD.RuleSet1 '<rule>'

Removing a specific rule from the set ICAPD.RuleSet1:

# drweb-ctl cfset -e ICAPD.RuleSet1 '<rule>'

Reset the rule set ICAPD.RuleSet1 to the default state:

# drweb-ctl cfset -r ICAPD.RuleSet1

When you use the drweb-ctl tool to edit the list of rules, enclose the text of your added rule into single or double quotes, and use backward slashes ('\') as escape characters before any double quotes within the text of the rule—if the text of the rule itself happens to contain double quotes.

It is important to remember the following storage features of rules in RuleSet<i> variables of the configuration:

The conditional part and colon can be omitted when adding unconditional rules. However, such rules are always stored in the list of rules as a string “ : <action>”;

When adding rules that contain several actions (such rules as '<condition> : <action 1><action 2>'), such rules will be modified into a chain of elementary rules '<condition> : <action 1>' and '<condition> : <action 2>'.

The logging or rules does not allow for disjunction (logical “OR”) of conditions in the conditional part, so, in order to implement the logical “OR”, log the chain of rules with each rule having a disjunct-condition in its condition.

To add an unconditional rule for skipping the connections (the Pass action) to the ICAPD.RuleSet1 set, you only need to execute the following command:

# drweb-ctl cfset -a ICAPD.RuleSet1 'Pass'

However, to remove this rule from the specified rule set, it is required to execute the following command:

# drweb-ctl cfset -e ICAPD.RuleSet1 ' : Pass'

To add the ICAPD.RuleSet1 rule to the rule set that changes a path to standard templates for connections from unresolved addresses and performs blocking, it is necessary to execute the following command:

# drweb-ctl cfset -a ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates", Block'

However, this command will add two rules to the specified set, so, in order to remove them from the set of rules, you need to execute two following commands:

# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates"'
# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : Block'

To add to the ICAPD.RuleSet1 rule set such rule as “Block if a malicious object KnownVirus or URL from the category Terrorism are detected”, it is necessary to add the following two rules to this rule set:

# drweb-ctl cfset -a ICAPD.RuleSet1 'threat_category in (KnownVirus) : Block as _match'
# drweb-ctl cfset -a ICAPD.RuleSet1 'url_category in (Terrorism) : Block as _match'

To remove them from the set of rules, you also need to execute two commands, as it is shown in the example above.

Default set of rules

By default, the following sets of rules for blocking are specified:

RuleSet0 =
RuleSet1 = direction request, url_host in "ICAPD.Blacklist" : BLOCK as BlackList
RuleSet1 = direction request, url_host not in "ICAPD.Whitelist", url match "ICAPD.Adlist" : BLOCK as BlackList
RuleSet2 =
RuleSet3 = direction request, url_host not in "ICAPD.Whitelist", url_category in "ICAPD.BlockCategory" : BLOCK as _match
RuleSet4 =
RuleSet5 = threat_category in "ICAPD.BlockThreat" : BLOCK as _match
RuleSet6 =

The first two rules process outgoing HTTP connections: if a host (or a URL) to which a connection is attempted is included into the black list, the connection will be blocked on the black list basis, further scans are not performed. If a host (a URL) is not included into the white list and belongs to any website category marked as unwanted for access, or matches any of the regular expressions that describe advertisement URLs, then the connection is blocked because the URL belongs to an unwanted category.

The rule specified in the RuleSet5 scans the HTTP request or response for threats that belong to a threat category that must be blocked (according to the settings). If there are such threats, the connection will be blocked on the basis of detecting a threat. Note that because the direction condition is not specified, by default both client requests (request) and server responses (response) are checked.

Examples of Rules for Traffic Monitoring and Blocking of Access

1.Allow users with the IP addresses range 10.10.0.0–10.10.0.254 to access websites of all categories, except Chats:

src_ip in (10.10.0.0/24), url_category not in (Chats) : PASS

Note that if the rule:

url_host in "ICAPD.Blacklist" : BLOCK as BlackList

is allocated in the list of rules above the indicated rule, then access to domains from the black list, i.e. domains listed in the parameter ICAPD.Blacklist, will also be blocked for users with the range of IP addresses 10.10.0.0–10.10.0.254. And if this rule is allocated below, users with the range of IP addresses 10.10.0.0–10.10.0.254 will get access also to websites from the black list.

Due to the fact that the resolution PASS is terminal, no more rules are checked, therefore scanning of the downloaded data for viruses is not performed either. To grant users with the range of IP addresses 10.10.0.0–10.10.0.254 access to websites of all categories, except Chats if they are not in the black list, and to block download of threats at the same time, use the following rule:

url_category not in (Chats), url_host not in "ICAPD.Blacklist", threat_category not in "ICAPD.BlockCategory" : PASS

2.Do not perform scanning of contents of video files (i.e. data with the type MIME “video/*”, where * is any type of the MIME class video):

content_type in ("video/*") : PASS