|
The component uses configuration parameters which are specified in the [ICAPD] section of the integrated configuration file of Dr.Web for UNIX Internet Gateways.
The section contains the following parameters:
LogLevel
{logging level}
|
Logging level of the component.
If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.
Default value: Notice
|
Log
{log type}
|
Logging method
|
ExePath
{path to file}
|
Path to the executable file of the component.
Default value: <opt_dir>/bin/drweb-icapd
•For Linux, Solaris: /opt/drweb.com/bin/drweb-icapd •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-icapd |
RunAsUser
{UID | user name}
|
The parameter determines under which user name the component should be run. The user name can be specified either as the user’s number UID or as the user’s login. If the user name consists of numbers (i.e. similar to number UID), it is specified with the “name:” prefix, for example: RunAsUser = name:123456.
When a user name is not specified, the component operation terminates with an error after the startup.
Default value: drweb
|
Start
{Boolean}
|
The component must be launched by the Dr.Web ConfigD configuration daemon.
When you specify the Yes value for this parameter, it instructs the configuration daemon to start the component immediately; and when you specify the No value, it instructs the configuration daemon to terminate the component immediately.
Default value: No
|
DebugDumpIcap
{Boolean}
|
Instructs to include detailed ICAP messages into the log file on the debug level (i.e. when you set LogLevel = DEBUG).
Default value: No
|
ListenAddress
{network socket}
|
Defines a network socket (IP address and port) on which Dr.Web ICAPD must listen for connections from HTTP proxy servers.
Default value: 127.0.0.1:1344
|
UsePreview
{Boolean}
|
Instructs Dr.Web ICAPD to use the ICAP preview mode.
It is recommended that you do not change the default value of this parameter, unless it is necessary.
Default value: Yes
|
Use204
{Boolean}
|
Defines whether Dr.Web ICAPD is allowed to return the response code 204 not only in the ICAP preview mode.
It is recommended that you do not change the default value of this parameter, unless it is necessary.
Default value: Yes
|
AllowEarlyResponse
{Boolean}
|
Defines whether Dr.Web ICAPD is allowed to use the ICAP’s early response mode, i.e. is allowed to start sending an “early” response to the client before the entire request has been received from the HTTP proxy server.
It is recommended that you do not change the default value of this parameter, unless it is necessary.
Default value: Yes
|
TemplatesDir
{path to directory}
|
Path to the directory that contains the templates for the HTML notifications sent upon blocking a web resource.
Default value: <var_dir>/templates/icapd
•For Linux, Solaris: /var/opt/drweb.com/templates/icapd •For FreeBSD: /var/drweb.com/templates/icapd |
Whitelist
{domain list}
|
List of domains that can be used as the white list (i.e. list of domains allowed for connection for users, even if these domains are included into blocked categories. In addition, user access will be allowed to all sub-domains of domains indicated in this list.)
The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).
Example: Add to the list of domains example.com and example.net.
1.Adding of values to the configuration file. •Two values in one string
[ICAPD]
Whitelist = "example.com", "example.net"
|
•Two strings (one value per a string)
[ICAPD]
Whitelist = example.com
Whitelist = example.net
|
2.Adding values via the command drweb-ctl cfset.
# drweb-ctl cfset ICAPD.Whitelist -a example.com
# drweb-ctl cfset ICAPD.Whitelist -a example.net
|
|
Actual usage of the domain list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.
The list of default rules (see below) guarantees that access to domains (and their sub domains) from this list will be provided even if it contains domains from the list of blocked web source categories. Besides, this default set of rules guarantees that data downloaded from the white list domains will be checked for threats.
|
Default value: (not set)
|
Blacklist
{domain list}
|
List of domains that can be used as the black list (i.e. list of domains forbidden for connection for users, even if these domains are not included into blocked categories. In addition, user access will be forbidden to all sub-domains of domains indicated in this list.)
The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).
Example: Add to the list of domains example.com and example.net.
1.Adding of values to the configuration file. •Two values in one string
[ICAPD]
Blacklist = "example.com", "example.net"
|
•Two strings (one value per a string)
[ICAPD]
Blacklist = example.com
Blacklist = example.net
|
2.Adding values via the command drweb-ctl cfset.
# drweb-ctl cfset ICAPD.Blacklist -a example.com
# drweb-ctl cfset ICAPD.Blacklist -a example.net
|
|
Actual usage of the domain list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.
The list of default rules (see below) guarantees that access to domains (and their sub-domains) from this list will be always forbidden. If this domain is simultaneously added to the lists Whitelist and Blacklist, the default rules guarantee that user access to it will be blocked.
|
Default value: (not set)
|
Adlist
{list of strings}
|
A list of regular expressions that describe advertisement URLs: URLs that match any of the regular expressions listed here are considered to be URLs of advertisements.
The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).
Example: Add to the list the following expressions '.*ads.+' and '.*/ad/.*\.gif$'.
1.Adding of values to the configuration file. •Two values in one string
[ICAPD]
Adlist = ".*ads.+", ".*/ad/.*\.gif$"
|
•Two strings (one value per a string)
[ICAPD]
Adlist = .*ads.+
Adlist = .*/ad/.*\.gif$
|
2.Adding values via the command drweb-ctl cfset.
# drweb-ctl cfset ICAPD.Adlist -a '.*ads.+'
# drweb-ctl cfset ICAPD.Adlist -a '.*/ad/.*\.gif$'
|
Regular expressions are specified using either the POSIX syntax (BRE, ERE) or the Perl syntax (PCRE, PCRE2).
|
Actual usage of the expression list indicated in this parameter depends on the method of its usage in the management rules of access to web sources defined for Dr.Web ICAPD.
The list of default rules (see below) guarantees that access to URL from this list will be always forbidden only if domains of these URLs are not in Whitelist.
|
Default value: (not set)
|
BlockInfectionSource
{Boolean}
|
Instructs to block attempted connections to websites containing malicious software (included into the InfectionSource category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: Yes
|
BlockNotRecommended
{Boolean}
|
Instructs to block attempts of connection to non-recommended websites (included into the NotRecommended category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: Yes
|
BlockAdultContent
{Boolean}
|
Instructs to block attempts of connection to websites containing adult content (included into the AdultContent category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockViolence
{Boolean}
|
Instructs to block attempts of connection to websites containing graphic violence (included into the Violence category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockWeapons
{Boolean}
|
Instructs to block attempts of connection to websites dedicated to weapons (included into the Weapons category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockGambling
{Boolean}
|
Instructs to block attempts of connection to gambling websites (included into the Gambling category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockDrugs
{Boolean}
|
Instructs to block attempts of connection to websites dedicated to drugs (included into the Drugs category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockObsceneLanguage
{Boolean}
|
Instructs to block attempts of connection to websites containing obscene language (included into the ObsceneLanguage category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockChats
{Boolean}
|
Instructs to block attempts of connection to chat websites (included into the Chats category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockTerrorism
{Boolean}
|
Instructs to block attempts of connection to websites dedicated to terrorism (included into the Terrorism category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockFreeEmail
{Boolean}
|
Instructs to block attempts of connection to websites of free email services (included into the FreeEmail category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockSocialNetworks
{Boolean}
|
Instructs to block attempts of connection to social networking websites (included into the SocialNetworks category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: No
|
BlockDueToCopyrightNotice
{Boolean}
|
Instructs to block attempts of connection to websites that were added according to copyright holder requests (included into the DueToCopyrightNotice category).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
url_category in "ICAPD.BlockCategory" : BLOCK as _match
|
Default value: Yes
|
ScanTimeout
{time interval}
|
Timeout for scanning one file initiated by Dr.Web ICAPD.
A value in the range from 1s to 1h can be specified
Default value: 30s
|
HeuristicAnalysis
{On | Off}
|
Indicates whether heuristic analysis is used for detection of unknown threats during data scanning initiated by Dr.Web ICAPD. The use of heuristic analysis raises the level of protection, but at the same time it increases the time spent on scanning.
Action applied to threats detected by the heuristic analyzer is specified as the BlockSuspicious parameter value.
Allowed values:
•On—instructs to use heuristic analysis when scanning. •Off—instructs not to use heuristic analysis. Default value: On
|
PackerMaxLevel
{integer}
|
Maximum nesting level when scanning packed objects. All objects at a deeper nesting level are skipped during data scanning initiated by Dr.Web ICAPD.
A value in the range from 0 to 60 can be specified. If the value is set to 0, nested objects are not scanned.
Default value: 8
|
ArchiveMaxLevel
{integer}
|
Maximum nesting level when scanning archives. All objects at a deeper nesting level are skipped during data scanning initiated by Dr.Web ICAPD.
A value in the range from 0 to 60 can be specified. If the value is set to 0, nested objects are not scanned.
Default value: 0
|
MailMaxLevel
{integer}
|
Maximum nesting level when scanning email messages and mailboxes. All objects at a deeper nesting level are skipped during data scanning initiated by Dr.Web ICAPD.
A value in the range from 0 to 60 can be specified. If the value is set to 0, nested objects are not scanned.
Default value: 0
|
ContainerMaxLevel
{integer}
|
Maximum nesting level when scanning other containers (for example, HTML pages). All objects at a deeper nesting level are skipped during data scanning initiated by Dr.Web ICAPD.
A value in the range from 0 to 60 can be specified. If the value is set to 0, nested objects are not scanned.
Default value: 8
|
MaxCompressionRatio
{integer}
|
Maximum compression ratio of compressed/packed objects (ratio between the uncompressed size and the compressed size). If the ratio for an object exceeds the limit, this object is skipped during data scanning initiated by Dr.Web ICAPD.
The compression ratio must not be smaller than 2.
Default value: 500
|
BlockKnownVirus
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains any known threat.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: Yes
|
BlockSuspicious
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains any unknown threat (detected by the heuristic analyzer).
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: Yes
|
BlockAdware
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains adware.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: Yes
|
BlockDialers
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains a dialer program.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: Yes
|
BlockJokes
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains joke program.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: No
|
BlockRiskware
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains riskware.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: No
|
BlockHacktools
{Boolean}
|
Instructs to block the receiving or the sending of data if it contains a hacktool.
For the blocking to work, you should check that within the settings there is also a rule that looks like this (see the details below):
threat_category in "ICAPD.BlockThreat" : BLOCK as _match
|
Default value: No
|
BlockUnchecked
{Boolean}
|
Instructs to block the receiving or the sending of data if it cannot be checked.
Default value: No
|
Rules for Traffic Monitoring and Blocking of Access
In addition to the parameters listed above, section also contains seven sets of rules RuleSet* (RuleSet0, …, RuleSet6) which control directly traffic scanning and blocking of access of the users to web resources and blocking downloading content from the Internet. For some values in conditions (for example, IP address ranges, lists of website categories, black and white lists of web sources, etc.), there is a substitution of values loaded from text files and also extracted from external data sources via LDAP (Dr.Web LookupD component is used). When configuring connections the whole list of rules is checked in the ascending order, until the rule containing the ultimate resolution is found. The gaps in the rule list are ignored.
The rules are described in detail in section Rules for Traffic Monitoring of Appendix D.
Viewing and editing of rules
For easy editing of the rules list gaps are left, i.e. RuleSet<i> sets that do not contain the rules. Note that you cannot add the items other than RuleSet0, …, RuleSet6, but you can add and to remove any rule in any element of RuleSet<i>. Viewing and editing rules can be performed in any of the following ways:
•by viewing and editing the configuration file configuration file (in any text editor) (note that this file stores only those parameters which value is different from the default ones); •via the web interface of the product management (if installed). •via the command-line-based interface—Dr.Web Ctl (drweb-ctl cfshow and drweb-ctl cfset commands).
|
If you edited the rules and made changes in the configuration file, in order to apply these changes, restart the program. To do that, use the drweb-ctl reload command.
|
Use of the command drweb-ctl cfshow to view rules.
To view the contents of the rules set ICAPD.RuleSet1, use the command
# drweb-ctl cfshow ICAPD.RuleSet1
|
The use of the drweb-ctl cfset command to edit the rules (hereinafter the <rule>—text of the rule).
•Replacing all the rules in a set ICAPD.RuleSet1 with a new rule:
# drweb-ctl cfset ICAPD.RuleSet1 '<rule>'
|
•Adding a new rule to the rule set ICAPD.RuleSet1:
# drweb-ctl cfset -a ICAPD.RuleSet1 '<rule>'
|
•Removing a specific rule from the set ICAPD.RuleSet1:
# drweb-ctl cfset -e ICAPD.RuleSet1 '<rule>'
|
•Reset the rule set ICAPD.RuleSet1 to the default state:
# drweb-ctl cfset -r ICAPD.RuleSet1
|
When you use the drweb-ctl tool to edit the list of rules, enclose the text of your added rule into single or double quotes, and use backward slashes ('\') as escape characters before any double quotes within the text of the rule—if the text of the rule itself happens to contain double quotes.
It is important to remember the following storage features of rules in RuleSet<i> variables of the configuration:
•The conditional part and colon can be omitted when adding unconditional rules. However, such rules are always stored in the list of rules as a string “ : <action>”; •When adding rules that contain several actions (such rules as '<condition> : <action 1>, <action 2>'), such rules will be modified into a chain of elementary rules '<condition> : <action 1>' and '<condition> : <action 2>'. •The logging or rules does not allow for disjunction (logical “OR”) of conditions in the conditional part, so, in order to implement the logical “OR”, the chain of rules should be logged with each rule having a disjunct-condition in its condition. To add an unconditional rule for skipping the connections (the PASS action) to the ICAPD.RuleSet1 set, you only need to execute the following command:
# drweb-ctl cfset -a ICAPD.RuleSet1 'PASS'
|
However, to remove this rule from the specified rule set, it is required to execute the following command:
# drweb-ctl cfset -e ICAPD.RuleSet1 ' : PASS'
|
To add the ICAPD.RuleSet1 rule to the rule set that changes a path to standard templates for connections from unresolved addresses and performs blocking, it is necessary to execute the following command:
# drweb-ctl cfset -a ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates", BLOCK'
|
However, this command will add two rules to the specified set, so, in order to remove them from the set of rules, you need to execute two following commands:
# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates"'
# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : BLOCK'
|
To add to the ICAPD.RuleSet1 rule set such rule as “Block if a malicious object KnownVirus or URL from the category Terrorism are detected”, it is necessary to add the following two rules to this rule set:
# drweb-ctl cfset -a ICAPD.RuleSet1 'threat_category in (KnownVirus) : BLOCK as _match'
# drweb-ctl cfset -a ICAPD.RuleSet1 'url_category in (Terrorism) : BLOCK as _match'
|
To remove them from the set of rules, you also need to execute two commands, as it is shown in the example above.
Default set of rules
By default, the following sets of rules are specified:
RuleSet0 =
RuleSet1 = direction request, url_host in "ICAPD.Blacklist" : BLOCK as BlackList
RuleSet1 = direction request, url_host not in "ICAPD.Whitelist", url match "ICAPD.Adlist" : BLOCK as BlackList
RuleSet2 =
RuleSet3 = direction request, url_host not in "ICAPD.Whitelist", url_category in "ICAPD.BlockCategory" : BLOCK as _match
RuleSet4 =
RuleSet5 = threat_category in "ICAPD.BlockThreat" : BLOCK as _match
RuleSet6 =
|
The first two rules (out of those preset by default) process outgoing HTTP connections: if a host (or a URL) to which a connection is attempted is included into the black list, the connection will be blocked on the basis of the black list. Other checks are not performed. If a host (a URL) is not included into the white list and belongs to any website category marked as unwanted for access, or matches any of the regular expressions that describe advertisement URLs, then the connection is blocked because the URL belongs to an unwanted category.
The rule specified in the RuleSet5 checks whether the HTTP request or response contain any threats that belong to a threat category that must be blocked (according to the settings). If there are such threats, the connection will be blocked on the basis of detecting a threat. Note that because the direction condition is not specified, by default both client requests (request) and server responses (response) are checked.
Examples of Rules for Traffic Monitoring and Blocking of Access
1.Allow users with the following IP addresses 10.10.0.0 – 10.10.0.254 to access websites of all categories, except Chats:
src_ip in (10.10.0.0/24), url_category not in (Chats) : PASS
|
Note that if the rule
url_host in "ICAPD.Blacklist" : BLOCK as BlackList
|
is allocated in the list of rules above the indicated rule, then access to domains from the black list, i.e. domains listed in the parameter ICAPD.Blacklist, will also be blocked for users with the range of IP addresses 10.10.0.0 – 10.10.0.254. And if this rule is allocated below, users with the range of IP addresses 10.10.0.0 – 10.10.0.254 will get access also to websites from the black list.
Due to the fact that resolution PASS is terminal, no more rules are checked, therefore scanning of the downloaded data for viruses is not performed either. To grant users with the range of IP addresses 10.10.0.0 – 10.10.0.254 access to websites of all categories, except Chats if they are not in the black list, and to block download of threats at the same time, use the following rule:
url_category not in (Chats), url_host not in "ICAPD.Blacklist", threat_category not in "ICAPD.BlockCategory" : PASS
|
2.Do not perform scanning of contents of video files (i.e. data with the type MIME “video/*”, where * is any type of the MIME class video):
content_type in ("video/*") : PASS
|
|
