Kaspersky Scan Engine and ICAP mode
5 March 2024
ID 192987
Internet Content Adaptation Protocol (ICAP) is the standard for communication between proxy servers and service providers. In ICAP mode, Kaspersky Scan Engine works with ICAP-compliant proxy servers. Kaspersky Scan Engine scans HTTP traffic that passes through a proxy server, and URLs requested by users.
In ICAP mode, Kaspersky Scan Engine consists of the kavicapd service, configuration files, and libraries, and has the following features:
- URL scan
Kaspersky Scan Engine allows you to scan URLs that users request from a proxy server. This function is available in both the request modification (REQMOD) mode and response modification (RESPMOD) mode of ICAP.
- HTTP traffic scan
Kaspersky Scan Engine allows you to scan incoming and outgoing HTTP traffic that passes through a proxy server. This function is available in both the request modification (REQMOD) mode and response modification (RESPMOD) mode of ICAP.
Scanning of multipart objects is supported.
- Support for the
204 No
Content
HTTP status codeThe kavicapd service can be configured to reply with this status code if the message sent by a client does not require modification.
- Configuring the kavicapd service behavior with service rules
- Partial mode
In this mode, also known as Data Trickling, the ICAP plug-in scans files as a whole, and then divides them into batches, and sends the batched files to the user. The plug-in continues to scan files at the same time that it is sending the first batches of files to the user. This function allows users to receive large scanned files quickly.
- Preview mode
In this mode, the ICAP client sends preview requests to the ICAP plug-in. The preview requests allow you to skip objects that the plug-in does not consider malicious.
- ISTag updates
The ISTag value in the Kaspersky Scan Engine ICAP response header is updated every time after one of these events happens:
- Kaspersky Scan Engine is initialized.
- Kaspersky Scan Engine settings are changed.
- The anti-virus database is updated.
Keep-Alive connections
By default, Kaspersky Scan Engine supports Keep-Alive connections, so it can process multiple objects one after another, by using the same connection.
To open a Keep-Alive connection, an ICAP request has to contain the Connection
field with the Keep-Alive
value.
To close the connection, an ICAP request has to contain the Connection
field with the close
value.