The Dr.Web ICAPD component uses the ICAP protocol (the Internet Content Adaptation Protocol described in RFC 3507) to interact with a proxy server, which is external with respect to Dr.Web for UNIX Internet Gateways and which handles HTTP/HTTPS connections from LAN hosts to web servers.
ICAP is a lightweight HTTP-like protocol. The client sends to the ICAP server a request including headers and the encapsulated HTTP request to be checked. In the response the ICAP server returns the modified HTTP request and one or several headers
In ICAP interaction the following request types (methods) are allowed
•REQMOD—for the verification and modification of the requests;
•RESPMOD—for the verification and modification of the responses;
•OPTIONS—for optaining the information on the connection with the ICAP server.
In REQMOD and RESPMOD requests the following headers are allowed:
•X-Client-IP—the originating IP address of the client who sent the HTTP request;
•X-Server-IP—the destination IP address of the HTTP request sent by the client
•X-Client-Username—the name of the client authenticated on the proxy server (specified as user or user@domain);
Responses to REQMOD and RESPMOD requests may include the following headers:
•X-Response-Info—is included in the response if the requested web resource belongs to a dangerous or unwanted category;
•X-Infection-Found—the information on virus and other potentially dangerous or suspicious objects;
•X-Virus-ID—the name of the detected virus;
•X-Violations-Found—the information of errors that occurred during the check.
The OPTIONS request may include the DrWeb-Get-Scan-Status header. Если этот заголовок имеет значение Yes, то в ответе будет возвращена информация об используемых версиях сканирующего движка, сканирующего ядра и вирусных баз (см. ниже). If this header has the Yes value, the information on the version of Dr.Web Scanning Engine, Dr.Web Core Engine and the virus bases.
The response to the OPTIONS request may include the following headers:
•X-Allow-Out—the list of header fields that Dr.Web ICAPD may include in responses;
•X-Include—the values of the headers retrieved from the previously received request;
•DrWeb-Core-Engine—the version of Dr.Web Core Engine;
•DrWeb-Scan-Engine—the version of Dr.Web Scan Engine;
•DrWeb-Scan-Status—the status of the current scanning operation
•DrWeb-Database-Timestamp—the virus base timestamp
•DrWeb-Virus-Records—the number of records in the base.
Dr.Web ICAPD may filter the web content and block access to potentially dangerous and unwanted web resources. If the user request an unwanted resource, the block page generated in accordance with the template will be returned. The page contains the information on the reason of the blocking. The block page is also returned when Dr.Web ICAPD detects an error or when an error occurs while checking the data.
To check whether a URL belongs to one of the categories, the component not only uses the database of web resource categories, which is updated regularly from the Doctor Web update servers, but also refers to the Dr.Web Cloud service. Doctor Web keeps track of the following web resources categories:
•InfectionSource—websites containing malicious software (“infection sources”).
•NotRecommended—fraudulent websites (that use “social engineering”) visiting which is not recommended.
•AdultContent—websites that contain pornographic or erotic materials, dating sites, and so on.
•Violence—websites that encourage violence or contain materials about various fatal accidents, and so on.
•Weapons—websites that describe weapons and explosives or provide information on their manufacturing.
•Gambling—websites that provide access to online games of chance, casinos, auctions, including sites for placing bets, and so on.
•Drugs—websites that promote use, production or distribution of drugs, and so on.
•ObsceneLanguage—websites that contain the obscene language (in titles, articles, and so on).
•Chats—websites that offer a real-time transmission of text messages.
•Terrorism—websites that contain aggressive and propaganda materials or terroristic attacks descriptions, and so on.
•FreeEmail—websites that offer the possibility of free registration of an email.
•SocialNetworks—different social networking services: general, professional, corporate, interest-based; thematic dating sites.
•DueToCopyrightNotice—websites, links to which are defined by the copyright holders of some copyrighted work (movies, music, and so on).
•OnlineGames—websites that provide access to games using the permanent internet connection.
•Anonymizers—websites that allow the user to hide personal information and providing the access to the blocked web resources.
•CryptocurrencyMiningPool—websites that provide an access to common services for cryptocurrencies mining.
•Jobs—job search websites.
In the settings, the system administrator can specify the categories of web resources users’ access to which is unwanted. It is also possible to configure one’s own black lists to block the access to the necessary web resources, and white lists to allow access for users. The access to the web resources included into white lists will be allowed, even if they belong to the unwanted categories. If there is no information about a URL in the local black lists and the local database of web resource categories, the program refers to the Dr.Web Cloud service. It allows the program to check whether any information is available about the maliciousness of the URL. Such information is received from other Dr.Web’s products on a real-time basis.
|
One and the same website can belong simultaneously to several categories. User access to such a website will be blocked if at least one category to which the website belongs has been set as unwanted by the administrator.
Even if the website is included into the white list by the administrator, the data (sent and downloaded from the website) is scanned for threats.
Due to special aspects of the ICAP protocol, the scanning of large portion of data (.iso images, large archives, video files, and so on) can take a long time. It is recommended that you configure restrictions according to the MIME type of data to be scanned. In the HTTP proxy server settings, it is also recommended that you restrict the maximum size of data allowed to send for scanning via the ICAP protocol (see an example for the proxy Server Squid). |
The Dr.Web Updater component is used to regularly and automatically update the databases of web resource categories from Doctor Web update servers. The same component is used to update virus databases for the Dr.Web Scanning Engine scan engine. The Dr.Web CloudD component is used to refer to Dr.Web Cloud service (using of the cloud service is configured in Appendixes common settings and can be disabled, if necessary). To scan transferred data, Dr.Web ICAPD uses the Dr.Web Network Checker component. The latter one initiates scanning via the Dr.Web Scanning Engine scan engine.
To block or pass HTTP requests and responses, the Dr.Web ICAPD component can use built-in rules as well as a Lua script.
|
See the Integration with Squid Proxy Server section for information about integrating Dr.Web ICAPD with an HTTP proxy server. |