cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SamDolan
Level 7
Report Inappropriate Content
Message 1 of 3
‎05-19-2023 09:55 AM

Endpoint Security Storage Protection RESPMOD sample

Hi,

I was attempting to build a monitoring tool for ENSSP doing a synthetic test passing a file to the ICAP service. I was able to get OPTION response as below but unable to get a response to RESPMOD requests. I'd like to be able to send a clean small text file and an eicar test file occasionally on a heartbeat rather then just do an options check.

OPTIONS icap://<IP Address>:<Port>/AVSCAN ICAP/1.0
Host: <IP Address>
User-Agent: CheckMKPowerShell

Partial ICAP response

ICAP/1.0 200 OK
Date: Fri 19 May 2023 16:43:00 GMT
Methods: RESPMOD
Service: McAfee VirusScan Enterprise for Storage 2.2.0

Is their a sample of the format of output requirement and information needed to pass to the ICAP for RESPMOD request? 

0 Kudos
Reply
2 Replies
Pravas
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎05-21-2023 07:05 PM

Re: Endpoint Security Storage Protection RESPMOD sample

Hi @SamDolan ,

The sample that we normally use for testing is an EICAR file.

You may also refer to the following logs for scan activity.

C:\ProgramData\McAfee\Endpoint Security\Logs\ICAPScan_Activity.log
C:\ProgramData\McAfee\Endpoint Security\Logs\ICAPStats_Activity.log

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
SamDolan
Level 7
Report Inappropriate Content
Message 3 of 3
‎05-22-2023 08:59 AM

Re: Endpoint Security Storage Protection RESPMOD sample

Hey, thanks for response, That was my intention to use EICAR string,  I seem to be having issue with what to send to the scanner though as part of transmission. What I was after is the send critieria, working with the RFC I seem to be missing something and was hoping you had a sample output of what is being sent format wise to the scanner around ICAP header and HTTP header/payload.

 

To get option response I would send below which works:

OPTIONS icap://<IP Address>:<Port>/AVSCAN ICAP/1.0
Host: <IP Address>
User-Agent: CheckMKPowerShell

 

To get RESPMOD I would send below but do not seem to get any response and eventually timeout:

 
RESPMOD icap://<IP Address>:<Port>/AVSCAN ICAP/1.0
Host: <IP Address>
User-Agent<string>
Allow: 204
Encapsulated res-hdr=<calculated size of http header>  res-body=<calculated size of raw file>
 
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: <calculated size of raw file>
 
<raw file content>
 
 
 

 

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC