ASM and ICAP File Scanning

Question

I am looking to implement ICAP file scanning for one of my applications that run through ASM. I am curious if anyone has any experience with this, and if you could tell me if there are any performance hits in the application or ASM for this.  Also I assume that the file is held on the ASM while it is waiting for a response from the AV server, does it keep anything after the response and are there any thoughts I should be putting into storage on the ASM?  As well as any other gotchas I may need to take into consideration. &nbsp;
 &nbsp;
Thanks&nbsp;
Mike&nbsp;

torti · Answer

Hi, 
&nbsp; we are using it for file uploads. Here it seems to work fine. 
&nbsp; You are running 11.x? Do you want to use it for an application or a web service? 
&nbsp; There is a (in my opinion) big bug, described in SOL12984. So, the maximum file size for ASM and ICAP can be 20mb. Bigger files are not send to the ICAP-server. 
&nbsp; Another Bug is 346498. 
&nbsp; You need 100% reachability of your ICAP server. If it isn't reachable, the files will be blocked and you get an alert about virus detection. 
&nbsp; The only performance hit I know, is the increasing memory allocation of your ASM. The complete request will be hold back until you get a response. Bigger files need more memory. 
&nbsp; Thats the reason for the 20mb limit, I think. So storage isn't a problem, its the RAM. If you don't have enough memory, your ASM is running out of memory. This results in swapping or can result in big troubles :-( 
&nbsp; I don't believe files are keeping in system after response. The ASM don't save files. Its like any other request. The full request will be send to the ICAP server. 
&nbsp;  
&nbsp; regards

mike_maher · Answer

Torti,  
&nbsp; Thanks for the information this is what I was looking for.  First to answer your question it is an application. 
&nbsp; So I want to make sure I am reading this right, based upon what you are saying and the SOL you referenced if I send a file that is say 21mb it will not get scanned but the file will still get sent to the back end server?  So basically this is a way to bypass the protection by essentially over running the buffer for lack of better words.

torti · Answer

If you disable the Blocking Setting 'Request length exceeds defined buffer size', it is possible to bypass the virus scanning functionality (ICAP). If you don't disable it, 20mb is the maximum request size and bigger requests will be blocked. If you need to allow files bigger than 20mb, you have to do virus scanning by another way and not with the ASM. 
&nbsp; I.e. you could do it on the backend system. 
&nbsp; regards

mike_maher · Answer

Very good, that is what I wanted to hear.  I want to make sure that bigger files get blocked.  Thanks for the all the information it has been very helpful

carl_christophe · Answer

Forgive my impudence, but I'm a complete F5 NOOB.  Can anyone explain what they needed to do to get F5 to forward to an ICAP server? I've tried the methods in their documentation--I must be missing SOMETHING.   
&nbsp;  
&nbsp; Thanks in advance...

Forum Discussion

ASM and ICAP File Scanning

7 Replies

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Advanced iRules: Scan

Advanced iRules: Binary Scan

CSV to Address External Datagroup File