Forum Discussion

R_Marc's avatar
R_Marc
Icon for Nimbostratus rankNimbostratus
May 20, 2014

ASM ICAP integration with McAfee

I've set up my ASM policy to utilize ICAP to a McAfee appliance. That part seems to be working fine. My files are getting over to the McAfee appliance and I see hits there (38 to be specific) in the ICAP logs for Malware hits.

 

I do not see any blocks on the ASM logs, however. I'm not exactly sure how it would show up, but I would have thought under attack signature "Virus detected." I have no hits on that particular signature though.

 

I followed these instructions.

 

8 Replies

    • R_Marc's avatar
      R_Marc
      Icon for Nimbostratus rankNimbostratus
      Indeed. It's part of my default configuration (necessary for anything useful from ASM).
    • Philipp_Stadler's avatar
      Philipp_Stadler
      Icon for Nimbostratus rankNimbostratus
      do the block works correctly - I have the same issue, malware found on McAfee AV, but the request isn't really blocked or seen on F5 side.
    • R_Marc's avatar
      R_Marc
      Icon for Nimbostratus rankNimbostratus
      The blocks do not work for me, no.
  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus

    Thank you very much. Worked as you noted, though I had to move it up to the top of the policies, not just add it.

     

    Now I see: Virus detected

     

    In ASM.

     

    R. Marc

     

    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      Hi Philipp, Do you have experience in configuring F5 ASM with Mcafee Virusscan for storage using ICAP? Thing is requests are being sent from ASM towards the ICAP server (Mcafee Virusscan for storage) but ICAP server responds with ICAP/1.0 400 Bad request. I used /REQMOD as the variable to send the requests as stated in the documentation.
    • Marvin's avatar
      Marvin
      Icon for Cirrocumulus rankCirrocumulus
      https://devcentral.f5.com/s/feed/0D51T00006i7dErSAI