Getting statuscode:418

[sc06]

I am using this ICAP client to scan the uploaded files. I receive the options as below-- ICAP/1.0 200 OK Methods: REQMOD, RESPMOD Options-TTL: * Encapsulated: null-body=0 Max-Connections: Preview: 30 Service: McAfee Web Gateway 7.7.2 build 25114 ISTag: "00000000-00000000-00000000" Allow: 204

Then when I try to send a file... I get 418 status code in response. the below is the request.. RESPMOD icap://.../RESPMOD ICAP/1.0 Host: ... User-Agent: IT-Kartellet ICAP Client/1.1 Allow: 204 Preview: 30 Encapsulated: res-hdr=0, res-body=22

Content-Length: 52

1e

Could you please give me some pointers.. Appreciate you help! Thanks

[sc06]

An update on the above. I modified it like below- RESPMOD icap://.../RESPMOD ICAP/1.0 Host: ... X-Client-Abandon-Supported: 1 Preview: 12 X-Scan-Progress-Interval: 10 Allow: 204 Encapsulated: req-hdr=0, res-hdr=65, res-body=104

GET /C:\TestFiles\test1.txt HTTP/1.1 Host: icap.health.check

HTTP/1.1 200 OK Content-Length: 12

c

314 0 0

Now I got a different error that is on the ICAP server side(CannotLoadAV). After that resolves will try the scan again. Thanks!

[Baekalfen]

Ok, see if that resolves the issue. Otherwise, feel free to write again.

Just a quick comment. I'm not sure what the implications might be, but I don't think /C:\TestFiles\test1.txt is allowed because of the \ and : characters.

[sc06]

Sorry for late response. it is working fine now. I have a question and thought you could clear it..

So we are planning on using this to clear the vulnerability on upload functionality. but I started to wonder about why are we scanning the file using a service and not rejecting it using F5? with this approach(icap client call) we are already reading the file/allowing it to come in and then scanning it and rejecting it. rather than doing this on every upload screen why cant we let ICAP handle this at F5 level. I understand that this approach is reverse proxy approach where F5 takes care of content and blocks if malicious. I might be missing something where ICAP Client approach is more beneficial than the F5 way of doing it. Please clarify. Thanks in advance!

[Baekalfen]

I'm sorry, but I have no experience with F5. If you already have some other software, which provide the same functionality, then it might be the better choice.