Operating Principles

The Dr.Web ICAPD component uses the ICAP protocol (the Internet Content Adaptation Protocol described in RFC 3507) to interact with a proxy server, which is external with respect to Dr.Web Gateway Security Suite and which handles HTTP/HTTPS connections of LAN hosts to web servers.

ICAP is a lightweight HTTP-like protocol. A client sends a request including headers and an encapsulated HTTP request to be scanned to an ICAP server. The ICAP server returns the modified encapsulated HTTP request and one or several headers in its response.

The following request types (methods) are used for interaction via ICAP:

•REQMOD—to verify and modify requests;

•RESPMOD—to verify and modify responses;

•OPTIONS—to obtain the information about ICAP server connection parameters.

REQMOD and RESPMOD requests use the following headers:

•X-Client-IP—IP address from which a verifiable HTTP request was sent;

•X-Server-IP—destination IP address at which a verifiable HTTP request was sent;

•X-Client-Username—name of the client authenticated on the proxy server (specified as user or user@domain).

REQMOD and RESPMOD responses use the following headers:

•X-Response-Info is included in the response if the requested web resource belongs to an unwanted or potentially dangerous category. Always has the Blocked value.

•X-Infection-Found contains information about the presence of viruses and other unwanted or potentially dangerous objects.

•X-Virus-ID contains the name of a detected threat.

•X-Violations-Found comprises the information about the errors that occurred during scanning.

The OPTIONS request may include the DrWeb-Get-Scan-Status header. If this header has the Yes value, the information about the version of Dr.Web Virus-Finding Engine, Dr.Web Scanning Engine and the virus bases will be returned in the response (see below).

The OPTIONS response includes the following headers:

•X-Allow-Out—list of header fields that Dr.Web ICAPD may include in responses;

•X-Include—values of the headers retrieved from a previously received request;

•DrWeb-Core-Engine—version of Dr.Web Virus-Finding Engine;

•DrWeb-Scan-Engine—version of Dr.Web Scanning Engine;

•DrWeb-Scan-Status—status of the current scanning operation;

•DrWeb-Database-Timestamp—virus base timestamp;

•DrWeb-Virus-Records—number of records in the base.

Furthermore, Dr.Web ICAPD can filter web content and block access to unwanted and potentially dangerous web resources. If the user requests such resource, a block page generated on the basis of the template is returned. The page contains the information on a reason of the blocking. The same page is returned when Dr.Web ICAPD detects a threat or an error occurs while scanning the data being transmitted.

To check whether a URL belongs to unwanted or potentially dangerous categories, Dr.Web ICAPD uses both the database of web resource categories, which is updated regularly from the Doctor Web update servers, and the Dr.Web Cloud service.

Potentially dangerous categories are the following:

•InfectionSource—websites containing malware (“infection sources”);

•NotRecommended—fraudulent websites (that use “social engineering”) visiting which is not recommended;

•AdultContent—websites that contain pornographic or erotic materials, dating sites and so on;

•Violence—websites that encourage violence or contain materials about various fatal accidents and so on;

•Weapons—websites dedicated to weapons and explosives or providing information on their manufacturing and so on;

•Gambling—websites that provide access to online games of chance, casinos, auctions, including sites for placing bets and so on;

•Drugs—websites that promote use, production or distribution of drugs and so on;

•ObsceneLanguage—websites that contain obscene language (in section titles, articles and so on);

•Chats—websites that offer real-time exchange of text messages;

•Terrorism—websites that contain aggressive and propaganda materials or description of terrorist attacks, and so on;

•FreeEmail—websites that offer a possibility of free registration of an email box;

•SocialNetworks—social networking services: general, professional, corporate, interest-based; thematic dating websites;

•DueToCopyrightNotice—websites links to which are provided by the copyright holders of some copyrighted work (movies, music, and so on);

•OnlineGames—websites that provide access to games using a permanent internet connection;

•Anonymizers—websites allowing the user to hide personal information and providing access to blocked websites;

•CryptocurrencyMiningPool—websites that provide access to services for cryptocurrency mining;

•Jobs—job search websites.

In the settings of the component, the system administrator can specify unwanted categories of web resources and create black and white lists. Requesting resources included in a black list will result in returning a block page. Access to a web resource included in a white list is always allowed, even if such resource belongs to an unwanted category.

The same Dr.Web Updater component regularly and automatically updates databases of web resource categories and virus databases for Dr.Web Scanning Engine from Doctor Web servers. The Dr.Web Cloud service is mediated by the Dr.Web CloudD component (using the cloud service is configured in the general settings of Dr.Web Gateway Security Suite and can be disabled, if necessary). To scan data being transmitted, Dr.Web ICAPD uses a network scanning component, Dr.Web Network Checker, which initiates data scanning via Dr.Web Scanning Engine.

To block or pass HTTP requests and responses, the Dr.Web ICAPD component can use rules defined in the settings and a Lua script.