|
|
|
|
|
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) supports the ICAP protocol. To integrate IWSVA as your antivirus engine for MOVEit Transfer, follow the guidelines in this section.
These settings need to be applied at IWSVA:
X-Infection-Found response header option must be enabled.infected_block_url_length to have a very short period (otherwise, the default is four hours). See Trend Micro documentation for details.After you configure Trend Micro IWSVA as a content scanner for MOVEit Transfer (SETTINGS > System > Content Scanning), use the Test Content Scanning feature to upload a test file with a generated virus.
Content Scanning Dialog (Test Content Scanning button shown)
Important! By default, Trend Micro IWSVA scanners are deployed to ignore already blocked URLs (files) that tested positive for a virus within a certain time window (usually, four hours). If you test successfully (by way of Test Content Scanning) twice during this configured time window, the first test will be logged as a virus and the next will be logged as a virus by MOVEit Transfer, but with no virus name (violation) indicated and the WebUI test results will indicate a fail.
The following Test Content Scanning result message demonstrates what happens when two tests are run within the time window defined by infected_block_url_length. The first loads the test virus successfully. The second reflects the blocked event from the scanner (because there is no violation identified).
First Test Content Scanning Results
|
Second Test Content Scanning Results (within IWSVA Block Time Interval)
|
If you run a test more than once and the previous virus test file URL (in this case to the generated virus test file) is recognized by IWSVA, the file will show up as a blocked virus in the MOVEit Transfer logs, but the named value for Violation will not be present. In otherwords, the scanner blocks the file upload completely and without repeating the scan. This is default behavior for Trend Micro IWSVA, which you can change by adjusting the infected_block_url_length to have a very short period. See Trend Micro documentation for details are as. The following excerpt (C:\MOVEitTransfer\web.log) shows how a file that is blocked by IWSVA looks like in the MOVEit Transfer debug logs.
Important! In order to see this output, MOVEit Transfer logging must be set to a Debug level.
Debug Log Output from a First Test Content Scanning Run
2019-01-04 17:00:28.1710b0 #33 z60: DoReadQuery: Returned non-empty recordset in 0 ms
2019-01-04 17:00:28.2110b0 #33 z50: CScan output: No filename given; using EICAR test string.
2019-01-04 17:00:28.2110b0 #33 z50: CScan output: ** AV Violation Detected!
2019-01-04 17:00:28.2110b0 #33 z50: CScan output: Violation=Eicar_test_file
2019-01-04 17:00:28.2110b0 #33 z50: CScan output: Engine=IWSVA 6.5-SP2_Build_Linux_1548 $Date: 11/04/2015 16:06:48 PM$
2019-01-04 17:00:28.2110b0 #33 z50: CScan output: ISTag=11.0-14.729.00-3.100.1027-1.0
Debug Log Output from a Second Test Content Scanning Run within the infected_block_url_length Time Window
2019-01-03 10:16:45.82 158 #15 z50: CScan output: No filename given; using EICAR test string.
2019-01-03 10:16:45.82 158 #15 z50: CScan output: ** AV Violation Detected!
2019-01-03 10:16:45.82 158 #15 z50: CScan output: Violation=
2019-01-03 10:16:45.82 158 #15 z50: CScan output: Engine=IWSVA 6.5-SP2_Build_Linux_1548 $Date: 11/04/2015 16:06:48 PM$
2019-01-03 10:16:45.82 158 #15 z50: CScan output: ISTag=11.0-14.727.00-3.100.1027-1.0