Configuration Parameters

In this section

Component Parameters

Rules for Traffic Monitoring and Blocking of Access

The component uses configuration parameters specified in the [ICAPD] section of the unified configuration file of Dr.Web Gateway Security Suite.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If a parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Component executable path.

Default value:

for GNU/Linux: /opt/drweb.com/bin/drweb-icapd

for FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-icapd

RunAsUser

{UID | user name}

User on behalf of whom the component is started. Either a numerical UID of the user or a user name (login) can be specified. If the user name consists of numbers (that is, the name is similar to a numerical UID), it must be specified with the “name:” prefix, for example: RunAsUser = name:123456.

If the user name is not specified, the component shuts down with an error upon startup.

Default value: drweb

Start

{logical}

The component is started by the Dr.Web ConfigD configuration management daemon.

Setting the value of this parameter to Yes instructs the configuration daemon to start the component immediately, and setting the value of this parameter to No—to shut down the component immediately.

Default value: No

DebugDumpIcap

{logical}

Log or do not log messages transmitted via ICAP at the debug level (with LogLevel = DEBUG).

Default value: No

ListenAddress

{network socket}

Network socket (IP address and port) listened by Dr.Web ICAPD for connections from HTTP proxy servers.

Default value: 127.0.0.1:1344

UsePreview

{logical}

Enable or disable an ICAP preview mode for Dr.Web ICAPD.

Do not change the value of this parameter unless necessary.

Default value: Yes

Use204

{logical}

Return response code 204 not only in ICAP preview mode.

Do not change the value of this parameter unless necessary.

Default value: Yes

AllowEarlyResponse

{logical}

Allow or do not allow Dr.Web ICAPD to use an ICAP early response mode, that is, start sending a response to the client before the entire request has been received from the HTTP proxy server.

Do not change the value of this parameter unless necessary.

Default value: Yes

TemplatesDir

{path to directory}

Path to a directory with the templates for the HTML notifications sent upon blocking a web resource.

Default value:

for GNU/Linux: /var/opt/drweb.com/templates/icapd

for FreeBSD: /var/drweb.com/templates/icapd

Whitelist

{domain list}

White list of domains. All domains included in this list will be accessible to users even if belonging to unwanted web resource categories. All subdomains of these domains will also be accessible.

The values of the list must be comma-separated (each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all parameter values are combined into one list).

Example: Add example.com and example.net domains to the list.

1.Adding values to the configuration file.

Two values per line:

[ICAPD]
Whitelist = "example.com", "example.net"

Two lines (one value per line):

[ICAPD]
Whitelist = example.com
Whitelist = example.net

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Whitelist -a example.com
# drweb-ctl cfset ICAPD.Whitelist -a example.net

Attention!

Actual usage of the domain list indicated in this parameter depends on how this list is used in the rules for controlling access to web resources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to domains (and their subdomains) from this list will be granted even if it contains domains from the list of blocked web resource categories. Furthermore, the default set of rules guarantees that data downloaded from the white list domains will be scanned for threats.

Default value: (not specified)

Blacklist

{domain list}

Black list of domains. All domains included in this list will not be accessible to users even if not belonging to unwanted web resource categories. All subdomains of these domains will also be blocked.

The values of the list must be comma-separated (each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all parameter values are combined into one list).

Example: Add example.com and example.net domains to the list.

1.Adding values to the configuration file.

Two values per line:

[ICAPD]
Blacklist = "example.com", "example.net"

Two lines (one value per line):

[ICAPD]
Blacklist = example.com
Blacklist = example.net

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Blacklist -a example.com
# drweb-ctl cfset ICAPD.Blacklist -a example.net

Attention!

Actual usage of the domain list indicated in this parameter depends on how this list is used in the rules for controlling access to web resources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to domains (and their subdomains) from this list will always be blocked. If a domain is added simultaneously to Whitelist and Blacklist, the default rules guarantee that user access to it will be blocked.

Default value: (not specified)

Adlist

{list of strings}

List of regular expressions covering websites. A URL that matches any of the regular expressions from this list is considered to be the advertising URL.

The values of the list must be comma-separated (each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all parameter values are combined into one list).

Example: Add the '.*ads.+' and '.*/ad/.*\.gif$' expressions to the list.

1.Adding values to the configuration file.

Two values per line:

[ICAPD]
Adlist = ".*ads.+", ".*/ad/.*\.gif$"

Two lines (one value per line):

[ICAPD]
Adlist = .*ads.+
Adlist = .*/ad/.*\.gif$

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset ICAPD.Adlist -a '.*ads.+'
# drweb-ctl cfset ICAPD.Adlist -a '.*/ad/.*\.gif$'

Regular expressions are specified using either the POSIX syntax (BRE or ERE) or the Perl syntax (PCRE or PCRE2).

Attention!

Actual usage of the list of the expressions indicated in this parameter depends on how this list is used in the rules for controlling access to web resources defined for Dr.Web ICAPD.

The list of default rules (see below) guarantees that access to a URL from this list will be blocked only if the domains of these URLs are not included in Whitelist.

Default value: (not specified)

BlockInfectionSource

{logical}

Block attempts to connect to websites containing malware (belonging to the InfectionSource category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockNotRecommended

{logical}

Block attempts to connect to non-recommended websites (belonging to the NotRecommended category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockAdultContent

{logical}

Block attempts to connect to websites containing adult content (belonging to the AdultContent category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockViolence

{logical}

Block attempts to connect to websites containing graphic violence (belonging to the Violence category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockWeapons

{logical}

Block attempts to connect to websites dedicated to weapons (belonging to the Weapons category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockGambling

{logical}

Block attempts to connect to gambling websites (belonging to the Gambling category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockDrugs

{logical}

Block attempts to connect to websites dedicated to drugs (belonging to the Drugs category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockObsceneLanguage

{logical}

Block attempts to connect to websites with obscene language (belonging to the ObsceneLanguage category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockChats

{logical}

Block attempts to connect to chat websites (belonging to the Chats category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockTerrorism

{logical}

Block attempts to connect to websites dedicated to terrorism (belonging to the Terrorism category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockFreeEmail

{logical}

Block attempts to connect to websites of free email services (belonging to the FreeEmail category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockSocialNetworks

{logical}

Block attempts to connect to social networking websites (belonging to the SocialNetworks category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

BlockDueToCopyrightNotice

{logical}

Block attempts to connect to websites that were added at the request of a copyright holder (belonging to the DueToCopyrightNotice category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockOnlineGames

{logical}

Block attempts to connect to online gaming websites (belonging to the OnlineGames category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockAnonymizers

{logical}

Block attempts to connect to anonymizer websites (belonging to the Anonymizers category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockCryptocurrencyMiningPools

{logical}

Block attempts to connect to websites combining users to mine cryptocurrencies (belonging to the CryptocurrencyMiningPool category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: Yes

BlockJobs

{logical}

Block attempts to connect to job search websites (belonging to the Jobs category).

To enable blocking, the settings must contain the following rule (see below):

url_category in "ICAPD.BlockCategory" : BLOCK as _match

Default value: No

ScanTimeout

{time interval}

Timeout for scanning one file at the request of Dr.Web ICAPD.

Allowed values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

HeuristicAnalysis

{On | Off}

Enable or disable the heuristic analysis for detection of unknown threats. The heuristic analysis provides higher detection reliability but increases the duration of scanning.

An action applied to threats detected by the heuristic analyzer is defined by the BlockSuspicious parameter.

Allowed values:

On—enable the heuristic analysis while scanning;

Off—disable the heuristic analysis.

Default value: On

PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects that may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

ArchiveMaxLevel

{integer}

Maximum nesting level for archives (.zip, .rar and so on) in which other archives may be enclosed, whereas these archives may also include other archives and so on. The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

MailMaxLevel

{integer}

Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed, whereas these files may also include other files and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

ContainerMaxLevel

{integer}

Maximum nesting level while scanning other types of objects containing nested objects (HTML pages, .jar files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

MaxCompressionRatio

{integer}

Maximum compression ratio of compressed/packed objects (a ratio between a compressed size and an uncompressed size). If the ratio for an object exceeds the limit, this object is skipped during the data scanning initiated by Dr.Web ICAPD.

The compression ratio must be no less than 2.

Default value: 500

BlockKnownVirus

{logical}

Block incoming and outgoing data if it contains a known threat.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockSuspicious

{logical}

Block incoming and outgoing data if it contains an unknown threat detected by the heuristic analyzer.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockAdware

{logical}

Block incoming and outgoing data if it contains adware.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockDialers

{logical}

Block incoming and outgoing data if it contains a dialer.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: Yes

BlockJokes

{logical}

Block incoming and outgoing data if it contains a joke program.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockRiskware

{logical}

Block incoming and outgoing data if it contains riskware.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockHacktools

{logical}

Block incoming and outgoing data if it contains a hack tool.

To enable blocking, the settings must contain the following rule (see below):

threat_category in "ICAPD.BlockThreat" : BLOCK as _match

Default value: No

BlockUnchecked

{logical}

Block incoming and outgoing data if it cannot be scanned.

Default value: No

MessageHook

{path to file | Lua function}

Script for processing HTTP messages in the Lua language or a path to the script file (see the HTTP Message Processing in Lua section).

If the Lua function or the file path are not specified, the messages will be processed in accordance with the rules. If the specified file is not available, the component will fail to start.

Default value: Generated automatically. In case of default settings, the script is as follows:

local dw = require "drweb"
local cfg = require "drweb.config"
local dwl = require "drweb.lookup"
local rx = require "drweb.regex"

function message_hook(ctx)
  if ctx.direction == "request" then
    local url = ctx.request.url
    if url.in_list(cfg.blacklist) then
      return "block"
    end
    if not url.in_list(cfg.whitelist) then
      if rx.search(cfg.adlist, url) or rx.search(cfg.adlist, url.raw) then
          return "block"
      end
      if url.in_categories(cfg.block_url_categories) then
          return "block"
      end
    end
  end
  if ctx.body.has_threat{category = cfg.block_threats} then
    return "block"
  end
  if cfg.block_unchecked and ctx.body.scan_error then
    return "block"
  end
  return "pass"
end

Rules for Traffic Monitoring and Blocking of Access

In addition to the parameters listed above, the section contains seven sets of rules RuleSet* (RuleSet0, …, RuleSet6) which directly control traffic scanning and blocking of user access to web resources, as well as blocking downloading content from the internet. For some values in conditions (for example, IP address ranges, lists of website categories, black and white lists of web resources and so on), there is a substitution of values loaded from text files as well as extracted from external data sources via LDAP (the Dr.Web LookupD component is used). When configuring connections, all rules are processed from first to last as a single list until the rule that triggered the ultimate resolution is found. The gaps in the rule list, if any, are ignored.

The rules are described in detail in the Rules for Traffic Monitoring section of Appendix D.

Viewing and editing the rules

List gaps, that is, RuleSet<i> sets that do not contain rules (wherein <i> is a RuleSet rule set number), are kept for editing the rules easily.

You cannot add items different to the already present RuleSet<i> items, but you can add or remove any rule in any RuleSet<i> item.

Rules can be viewed and edited in any of the following ways:

by viewing and editing the configuration file in any text editor (note that this file stores only those parameters whose values differ from the defaults);

using management web interface;

via the command-line interface—Dr.Web Ctl (drweb-ctl cfshow and drweb-ctl cfset commands).

If you have edited the rules and made changes to the configuration file, in order to apply these changes, restart Dr.Web Gateway Security Suite. To do that, use the drweb-ctl reload command.

Viewing the rules with the drweb-ctl cfshow command

To view the contents of the ICAPD.RuleSet1 rule set, use the command:

# drweb-ctl cfshow ICAPD.RuleSet1

Editing the rules with the drweb-ctl cfset command

Hereinafter <rule> is the text of the rule.

Replace all the rules in the ICAPD.RuleSet1 set with a new rule:

# drweb-ctl cfset ICAPD.RuleSet1 '<rule>'

Add a new rule to the ICAPD.RuleSet1 rule set:

# drweb-ctl cfset -a ICAPD.RuleSet1 '<rule>'

Remove a specific rule from the ICAPD.RuleSet1 rule set:

# drweb-ctl cfset -e ICAPD.RuleSet1 '<rule>'

Reset the ICAPD.RuleSet1 rule set to its default values:

# drweb-ctl cfset -r ICAPD.RuleSet1

When you use the drweb-ctl tool to edit the rules, put the <rule> string in single or double quotes, and use a backward slash (\) to escape quotes within the text of the rule.

It is important to remember the following aspects of storing rules in the RuleSet<i> configuration variables:

The conditional part and colon can be omitted when adding unconditional rules. However, such rules are always stored in the list of rules as the ' : <action>' string.

When adding rules that contain several actions (such rules as '<condition> : <action 1>, <action 2>'), such rules will be transformed into a chain of elementary rules '<condition> : <action 1>' and '<condition> : <action 2>'.

Rules do not allow for disjunction (logical “OR”) of conditions in the conditional part, so, in order to implement the logical “OR”, construct a chain of rules with each rule having a disjunct-condition in its condition.

To add an unconditional skipping rule (the PASS action) to the ICAPD.RuleSet1 rule set, run the following command:

# drweb-ctl cfset -a ICAPD.RuleSet1 'PASS'

To remove this rule from the specified rule set, run the following command:

# drweb-ctl cfset -e ICAPD.RuleSet1 ' : PASS'

To add a rule to change a path to standard templates for connections from forbidden addresses and block these connections to the ICAPD.RuleSet1 rule set, run the command:

# drweb-ctl cfset -a ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates", BLOCK'

This command adds two rules to the specified rule set, so, in order to remove these rules, run these two commands:

# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : set http_template_dir = "mytemplates"'
# drweb-ctl cfset -e ICAPD.RuleSet1 'src_ip not in file("/etc/trusted_ip") : BLOCK'

To add such rule as “Block upon detecting a malicious object of the KnownVirus type or a URL from the Terrorism category” to ICAPD.RuleSet1, add both of the following two rules to this rule set:

# drweb-ctl cfset -a ICAPD.RuleSet1 'threat_category in (KnownVirus) : BLOCK as _match'
# drweb-ctl cfset -a ICAPD.RuleSet1 'url_category in (Terrorism) : BLOCK as _match'

To remove them, run two commands, as shown in the example above.

Default set of rules

By default, the following set of rules for blocking is specified:

RuleSet0 =
RuleSet1 = direction request, url_host in "ICAPD.Blacklist" : BLOCK as BlackList
RuleSet1 = direction request, url_host not in "ICAPD.Whitelist", url match "ICAPD.Adlist" : BLOCK as BlackList
RuleSet2 =
RuleSet3 = direction request, url_host not in "ICAPD.Whitelist", url_category in "ICAPD.BlockCategory" : BLOCK as _match
RuleSet4 =
RuleSet5 = threat_category in "ICAPD.BlockThreat" : BLOCK as _match
RuleSet6 =

The first two rules cover processing of outgoing HTTP connections: if a host (or a URL) to which a connection is being established is included in the black list, the connection is blocked on the black list basis, further checks are not performed. If the host (the URL) is not included in the white list and belongs to any unwanted category of websites or matches the list of the regular expressions covering advertisement websites, then the connection is blocked because the URL belongs to the prohibited category.

The rule specified in RuleSet5 checks whether the body of the HTTP request or HTTP response contains threats that belong to the categories to be blocked, and, if so, the connection is blocked on the basis of detecting the threat.

Since the direction condition is not specified, both client requests and server responses are scanned by default.

Examples of the rules for traffic monitoring and blocking of access

1.Allow users with IP addresses in the range of 10.10.0.010.10.0.254 to access websites of all categories except for Chats:

src_ip in (10.10.0.0/24), url_category not in (Chats) : PASS

If the rule:

url_host in "ICAPD.Blacklist" : BLOCK as BlackList

is put on the list of rules above the indicated rule, then access to the domains from the black list, that is, the domains listed in the ICAPD.Blacklist parameter, will also be blocked for users with IP addresses in the range of 10.10.0.010.10.0.254. At the same time, if this rule is put below, the users with the IP addresses in the range of 10.10.0.010.10.0.254 will also get access to websites from the black list.

 

Since the PASS resolution is final, no more rules are processed; therefore, the downloaded data is not scanned for threats.

To allow users with IP addresses in the range of 10.10.0.010.10.0.254 to access websites of all categories except for Chats, if they are not on the black list, and to block downloading of threats at the same time, use the following rule:

url_category not in (Chats), url_host not in "ICAPD.Blacklist", threat_category not in "ICAPD.BlockCategory" : PASS

2.Do not scan the contents of video files (that is, data of the video/* MIME type, where * corresponds to any type of the video MIME class):

content_type in ("video/*") : PASS