Using an ICAP scanner with MOVEit TransferTechnical top tips for MOVEit MFT
Content scanning causes a degree of nervousness among MOVEit administrators. It is performed by passing a file to an Anti-Virus/Data Loss Prevention engine using the ICAP protocol. The receiving engine then checks the file content and responds back to MOVEit, which in turn allows or disallows the file accordingly.
Let’s break that down into its various steps and look at each in turn.
Antivirus (AV) / Data Loss Prevention (DLP) Engine
These are totally separate to the MOVEit application and are generally used throughout an organisation with a variety of applications (web portals and email exchanges mostly). MOVEit is certified to work with a number of these products – check the MOVEit Transfer documentation for the current list as this may change between releases. In short, McAfee, Sophos and Symantec may be used for AV, and RSA or Symantec for DLP.
You can only have one content scanning engine active at a time, and none of the products certified as working with MOVEit provide both functions (at least not to MOVEit).
The default port for ICAP scanning is 1344, although you may use a different port if you wish. ICAP scans can be performed in either request mode, which allows the DLP engine to redact an offending file, or request mode, which simply returns a success failure result. MOVEit operates strictly in request mode. ICAP will return one of two return codes – 200 indicates that the file was blocked or redacted, while 204 means that no rules were violated.
AV and DLP
We are all familiar with AV software installed on our computers, so that doesn’t need any further explanation. DLP, however, perhaps needs a little more detail. Essentially, AV and DLP work the same way – a file is scanned for content. DLP is used to prevent certain information from leaving your company. You could, for example, define a credit card number format in the DLP engine. This would identify any string that matches, regardless of whereabouts in a file it might be. It could even spot if someone started hyphenating the number or padding it out (depending on the ability of the engine).
The ICAP scanner definition is set up in the system organisation using the sysadmin account. You can reach it from the Settings menu.
Simply enter the path to your ICAP scanner and select the scanner from the dropdown box. Save your changes before performing a test, which should find the eicar virus (test).
Once you have done this, you will need to login as an Org Administrator and enable AV or DLP (or both if your scanner supports it). In addition, you can set policies by user class to define what happens when a DLP scanned file fails its check. You may, for instance, decide to quarantine the file rather than simply blocking it.
Finally, each file that gets passed to the scanner will have that information appended to its log record, for example:
One last piece of information; if you use custom notification templates, please be aware that you may need to update some fields.