Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Dealing with a Missing Host Header

When the host header is missing from an ICAP request that is received on Web Gateway, additional measures can be required to configure anti-malware scanning for this request.

NOTE: If you have only purchased a license for the Skyhigh Security scanning engine, the problem with the missing host header does not arise since this engine does not require the information that is provided by this header for scanning.

When a client of Web Gateway sends a request under the ICAP protocol, the host header can be missing from this request, which occurs, however, very rarely.

A request with no host header can be sent, for example, in the reqmod mode of ICAP communication. The GET portion of this request contains an empty URL, which means that this URL only consists of an entry for the HTTP protocol, which the ICAP request is embedded in. The URL then just looks as follows: http://.
 

Importance of the host header

When the Gateway Anti-Malware engine is involved in the scanning process on Web Gateway, it requires a URL to perform behavioral scanning as part of its scanning activities. The URL is used in the scanning, for example, to retrieve reputation scores and category information from the Global Threat Intelligence system.

The URL is assembled on Web Gateway from several sources, one of which is the host header in a request. It is then made available to the Gateway Anti-Malware engine. The URL cannot be assembled and made available, however, without retrieving information from the host header.

A missing host header therefore leads to an error in the scanning process when the Gateway Anti-Malware engine is involved in the usual way. Under the default rules, this error results in blocking the request, which means that it is not forwarded to the requested destination. The error is logged in the mwg-antimalware log.

Combined use of anti-malware engines

For scanning web traffic, the Gateway Anti-Malware engine relies in parts on another scanning engine, which is known as Skyhigh Security engine. A reduced range of scanning activities can also be performed by the Skyhigh Security engine alone, but only the combined use of the two engines ensures the anti-malware protection that we recommend.

Whether both engines are available on Web Gateway depends on whether you have purchased a license for the Gateway Anti-Malware engine, which also covers use of the Skyhigh Security engine, or a license for the Skyhigh Security engine only.

Solving the host header problem

There are several ways to solve the problem when a host header is missing from an ICAP request.

  • Configure the ICAP client to send a host header.

    This solution is not applied on Web Gateway, but on the client system that sent the incomplete request. The request might have been sent without a host header due to an error within the client configuration.

    For more information, refer to documentation that explains the ICAP protocol.
  • Create rules for anti-malware filtering with full and reduced use of the Gateway Anti-Malware engine.

    You can perform scanning with a reduced use of the Gateway Anti-Malware engine that does not require the processing of information from a host header.

    The rule set for anti-malware filtering then includes:
     
  • Create a rule that adds a host header.

You can add a rule that sets a value for the host header and place it before the rule that controls anti-malware scanning. When this second rule is executed, the host header value is found by the rule engine and scanning can be performed making full use of the Gateway Anti-Malware engine.

The rule provides the host header value using an event that sets the URL.Host property. If you know that requests are usually received from a particular host, you can set the property to the value for this host.

If you do not know such a host, you can set the property to a dummy value. Setting the property in this way is sufficient for letting the scanning process make full use of the Gateway Anti-Malware engine.

Inappropriate host information can, however, have an impact on the anti-malware filtering results, which might include an increased number of false positives.

For more information about the rule, see Rule for adding a host header.

Rules for making full or reduced use of the Gateway Anti-Malware engine

The following are sample rules for performing anti-malware filtering with full or reduced use of the Gateway Anti-Malware engine, depending on whether a host header is sent with a request or missing from it.

NOTE: When creating these rules, you can use the rule Block if virus was found in the default Gateway Anti-Malware rule set as a starting point. After creating and enabling these rules, the default rule must be deleted.

The first rule blocks a request that includes a host header if scanning the request results in detecting an infection by a virus or other malware.

When the rule engine processes the rule, it calls the Anti-Malware module to provide a value for the AV.Infected property. The module runs with default settings, which means full use of the Gateway Anti-Malware engine is made in the scanning process that is performed to provide the property value.

Name
Scan with full use of the Gateway Anti-Malware engine
Criteria                                                                Action                 Event
URL.Host does not equal " " AND AV.Infected<Default> equals true     –> Block<Virus Found>     Statistics. Counter.Increment
                                                                                               ("BlockedByAnti Malware">,
                                                                                               1)<Default>

The second rule blocks a request that does not include a host header if scanning the request results in detecting an infection by a virus or other malware.

When the rule engine processes the rule, it calls the Anti-Malware module to provide a value for the AV.Infected property. The module does not run with default settings, but with new settings that let the scanning process be performed with reduced use of the Gateway Anti-Malware engine.

The new settings differ from the default settings in that the option Enable mobile code scanning is disabled.

Name
Scan with reduced use of the Gateway Anti-Malware engine
Criteria                                                         Action                 Event
URL.Host equals " " AND AV.Infected<Reduced use of Gateway    –> Block<Virus Found>     Statistics. Counter.Increment
Anti-Malware engine> equals true                                                        ("BlockedByAnti Malware">,
                                                                                        1)<Default>                                               

Rule for adding a host header

The following is a sample rule for adding a host header to an ICAP request that was sent with this header missing.

Name
Add a host header
Criteria                       Action       Event
URL.Host equals " "         –> Continue     Set URL.Host=<value for host that request was sent from>
  • Was this article helpful?