This section allows sysadmins to enable scanning of incoming files using a remote anti-virus server. MOVEit DMZ will submit incoming files to the anti-virus (AV) and/or Data Loss Prevention (DLP) server using the ICAP protocol. Files that are clean are then passed into the MOVEit DMZ filesystem.
Note: If you are using the AS2 Module to transfer files, be aware that content scanning does not apply to AS2 transfers. Use MOVEit Central to scan AS2 transfers for viruses.
For more information on the Content Scanning feature and associated logs and reporting, see the Feature Focus - Content Scanning topic.
Set Content Scanning
A name for the content scanner and the location (Server URL) for the content scanner are required settings. All of the Content Scanning settings apply to all MOVEit DMZ hosts on the system. The settings are described below:
Note: You can enable or disable Content Scanning for each organization in Settings - Security Policies - Content Scanning. You need to be signed on as an Organization administrator.
Scan uploads: Yes means content scanning is enabled for the MOVEit DMZ system, for all organizations. No means content scanning is disabled for all organizations on the system.
Name: This is a user-defined name for the content scanning activity, such as AV scan.
Server URL: This is the address of the anti-virus (ICAP) server. This address requires the prefix icap:// (for example: icap://scansrv:1344)
Server Type: Use the default setting of - Auto Detect - or select the type of Anti-Virus server from the list of supported types.
Server allows "204" responses: The default setting Yes will allow faster scanning, as the 204 response allows the server to return an updated header without body data.
Maximum file size to scan: The default setting of 15 MB (recommended) means that uploaded files that exceed 15 MB in size will not be fully scanned. MOVEit DMZ does not exclude files larger than the size selected, it actually scans up to the size selected on all files. IF no problem is found in the partial scan, the file is allowed into the DMZ filesystem. If you do not want to have a maximum size for file scanning, enter 0 for this option.
Server connection timeout: The default setting of 5 seconds means that if MOVEit DMZ cannot establish a connection with the scanning server within 5 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached.
Server send timeout: The default setting of 30 seconds means that if MOVEit DMZ cannot send to the anti-virus server within 30 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached.
Server receive timeout: The default setting of 30 seconds means that if the anti-virus server cannot receive from MOVEit DMZ within 30 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached.
Server connection tries: The default setting of 3 means that MOVEit DMZ will try up to 3 times to create the initial connection to the anti-virus server.
Change Content Scanning: After making any entries or changes, click this button to apply the changes.
Test Content Scanning: Tests the AV or DLP capability by sending a known fake infected file (EICAR.COM) to the ICAP server and ensuring that the file is marked as infected or ensuring that the DLP server was contacted successfully. (To avoid problems with other AV packages that may be running on the system, the EICAR is stored encrypted.) Before testing, be sure to save any changes to the settings by clicking the Change Content Scanning button.
The following screen shows an example of the configuration for a Sophos ICAP AV scanner.
Logging
If a file was scanned, file detail pages will display the ICAP server information.
If a file fails the scan, the user who uploaded the file will see an error message at the top of the browser page.
Also, log file entries will report the user-configured name of the ICAP server used during the file upload. File records will also report the self-identification, version, and virus definition or DLP policy tag from the server.
Error code numbers (6100 - 6103) are used to report AV errors. This will help when filtering logs. If an upload fails due to content scanning, the corresponding log table records will contain the AV server name and, if possible, the name of the virus.
Error code numbers 0 and 6150 are used to report DLP policy violations, as follows:
Error number 0 for violations that have been allowed or quarantined
Error number 6150 for violations that have been blocked
Notifications
Notification macros for content scanning, if enabled, can report the scan results for both anti-virus (AV) and data loss prevention (DLP) scans.
AV and/or DLP information may be included in the following notifications:
New File Upload Notification
File Upload Confirmation
New Package
New Package Secure Attach
New Temp User Package (with password)
New Temp User Package (with password) Secure Attach
New Temp User Package (with password link)
New Temp User Package (with password link) Secure Attach
New Guest Package
New Guest Package Secure Attach
File Non-Delivery Receipt
File Upload List Notification
File Upload List Confirmation
File Not Downloaded List
File Delivery Receipt
Package Delivery Receipt
Package Download Receipt
Package Deleted By User
Package User Was Deleted
The standard templates for these notifications do not include the content scanning results. You can add the macros that report the scan results by creating custom notification templates. Custom notifications are set in an organization via Settings | Appearance | Notification | Custom.
Reporting
You can add a Content Scanning report which shows blocked content scanning violations. An example of a violation is a file that failed an anti-virus (AV) check or violated a data loss protection (DLP) policy and was blocked. In this case, the report will show the name of the scanner, the file name, and the name of the virus (if known) or policy. If you are logged in as administrator for an organization, the report shows violations for your organization. If you are logged in as a system administrator, the report can show multiple organizations.
