When the host header is missing from an ICAP request that is received on Secure Web Gateway, additional measures can be required to configure anti-malware scanning for this request.
NOTE: If you have only purchased a license for the Skyhigh Security scanning engine, the problem with the missing host header does not arise since this engine does not require the information that is provided by this header for scanning.
When a client of Secure Web Gateway sends a request under the ICAP protocol, the host header can be missing from this request, which occurs, however, very rarely.
A request with no host header can be sent, for example, in the reqmod mode of ICAP communication. The GET portion of this request contains an empty URL, which means that this URL only consists of an entry for the HTTP protocol, which the ICAP request is embedded in. The URL then just looks as follows: http://.
Importance of the host header
When the Gateway Anti-Malware engine is involved in the scanning process on Secure Web Gateway, it requires a URL to perform behavioral scanning as part of its scanning activities. The URL is used in the scanning, for example, to retrieve reputation scores and category information from the Global Threat Intelligence system.
The URL is assembled on Secure Web Gateway from several sources, one of which is the host header in a request. It is then made available to the Gateway Anti-Malware engine. The URL cannot be assembled and made available, however, without retrieving information from the host header.
A missing host header therefore leads to an error in the scanning process when the Gateway Anti-Malware engine is involved in the usual way. Under the default rules, this error results in blocking the request, which means that it is not forwarded to the requested destination. The error is logged in the mwg-antimalware log.
Combined use of anti-malware engines
For scanning web traffic, the Gateway Anti-Malware engine relies in parts on another scanning engine, which is known as Skyhigh Security engine. A reduced range of scanning activities can also be performed by the Skyhigh Security engine alone, but only the combined use of the two engines ensures the anti-malware protection that we recommend.
Whether both engines are available on Secure Web Gateway depends on whether you have purchased a license for the Gateway Anti-Malware engine, which also covers use of the Skyhigh Security engine, or a license for the Skyhigh Security engine only.
Solving the host header problem
There are several ways to solve the problem when a host header is missing from an ICAP request.
- Configure the ICAP client to send a host header.
This solution is not applied on Secure Web Gateway, but on the client system that sent the incomplete request. The request might have been sent without a host header due to an error within the client configuration.
For more information, refer to documentation that explains the ICAP protocol.
- Create rules for anti-malware filtering with full and reduced use of the Gateway Anti-Malware engine.
You can perform scanning with a reduced use of the Gateway Anti-Malware engine that does not require the processing of information from a host header.
The rule set for anti-malware filtering then includes:
- A rule for performing the default scanning process with full use of the Gateway Anti-Malware engine if a request includes a host header
- A rule for performing a scanning process with reduced use of the Gateway Anti-Malware engine if a request does not include a host header
For more information about these two rules, see Rules for anti-malware filtering with full or reduced use of the Gateway Anti-Malware engine.
- Create a rule that adds a host header.
You can add a rule that sets a value for the host header and place it before the rule that controls anti-malware scanning. When this second rule is executed, the host header value is found by the rule engine and scanning can be performed making full use of the Gateway Anti-Malware engine.
The rule provides the host header value using an event that sets the URL.Host property. If you know that requests are usually received from a particular host, you can set the property to the value for this host.
If you do not know such a host, you can set the property to a dummy value. Setting the property in this way is sufficient for letting the scanning process make full use of the Gateway Anti-Malware engine.
Inappropriate host information can, however, have an impact on the anti-malware filtering results, which might include an increased number of false positives.
For more information about the rule, see Rule for adding a host header.
Rules for making full or reduced use of the Gateway Anti-Malware engine
The following are sample rules for performing anti-malware filtering with full or reduced use of the Gateway Anti-Malware engine, depending on whether a host header is sent with a request or missing from it.
NOTE: When creating these rules, you can use the rule Block if virus was found in the default Gateway Anti-Malware rule set as a starting point. After creating and enabling these rules, the default rule must be deleted.
The first rule blocks a request that includes a host header if scanning the request results in detecting an infection by a virus or other malware.
When the rule engine processes the rule, it calls the Anti-Malware module to provide a value for the AV.Infected property. The module runs with default settings, which means full use of the Gateway Anti-Malware engine is made in the scanning process that is performed to provide the property value.
Name Scan with full use of the Gateway Anti-Malware engine Criteria Action Event URL.Host does not equal " " AND AV.Infected<Default> equals true –> Block<Virus Found> Statistics. Counter.Increment ("BlockedByAnti Malware">, 1)<Default>
The second rule blocks a request that does not include a host header if scanning the request results in detecting an infection by a virus or other malware.
When the rule engine processes the rule, it calls the Anti-Malware module to provide a value for the AV.Infected property. The module does not run with default settings, but with new settings that let the scanning process be performed with reduced use of the Gateway Anti-Malware engine.
The new settings differ from the default settings in that the option Enable mobile code scanning is disabled.
Name Scan with reduced use of the Gateway Anti-Malware engine Criteria Action Event URL.Host equals " " AND AV.Infected<Reduced use of Gateway –> Block<Virus Found> Statistics. Counter.Increment Anti-Malware engine> equals true ("BlockedByAnti Malware">, 1)<Default>
Rule for adding a host header
The following is a sample rule for adding a host header to an ICAP request that was sent with this header missing.
Name Add a host header Criteria Action Event URL.Host equals " " –> Continue Set URL.Host=<value for host that request was sent from>