proxysg first steps: preventing malware - symantec ·...

Blue Coat Security First StepsSolution for PreventingMalware

SGOS 6.5

Third Party Copyright Notices© 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW,INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE,POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DSAPPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the BlueCoat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue CoatSystems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trade-mark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All othertrademarks mentioned in this document owned by third parties are the property of their respective owners. This document is forinformational purposes only.

BLUE COATMAKES NOWARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THISDOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICALDATAREFERENCED IN THIS DOCUMENT ARE SUBJECT TOU.S. EXPORT CONTROLAND SANCTIONS LAWS,REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TOEXPORTOR IMPORT REGULATIONS IN OTHERCOUNTRIES. YOU AGREE TOCOMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS,AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TOOBTAIN ANY LICENSES, PERMITS OR OTHERAPPROVALS THATMAY BE REQUIRED IN ORDER TOEXPORT, RE-EXPORT, TRANSFER IN COUNTRY ORIMPORT AFTER DELIVERY TOYOU.

Americas:

Blue Coat Systems, Inc.

420 N. Mary Ave.

Sunnyvale, CA 94085

Rest of theWorld:

Blue Coat Systems International SARL

3a Route des Arsenaux

1700 Fribourg, Switzerland

Blue Coat Security First Steps

Contents

Third Party Copyright Notices 2

Solution: Prevent Malware 4

Add the ProxyAV for In-Path Threat Detection 4

Enable Malware Scanning 6

Configure ProxyAV Scan Settings 7

Test the Threat Protection Policy 8

Install the No Scan Policy for Infinite Streams 10

Monitor Malware and ICAP Scanning 11

Use the ProxyAV toMonitor Virus Scanning 11

Use Reporter to Report onMalware 12

Use the ProxySG toMonitor ICAP Scanning 13

ICAP Statistics 13

Active ICAP Sessions 14

Update the Malware Scanning Policy 15

Improve the User Experience 15

Configure Alert Notification 17

Malware Prevention Troubleshooting 20

Why did the ICAP health check fail? 20

Why is the ProxyAV not scanning web traffic? 20

Why isn't my ProxyAV getting virus updates? 20

ProxySG runs out of memory during heavy traffic load 21

Why are users complaining about delays in Web browsing? 22

Why can't users access any websites? 22

What is causing a 500-ICAP Communication Error? 23

How do I send sysinfo to Support? 24

3

Preventing Malware

Solution: Prevent MalwareThis solution assumes that you are using a ProxyAV in conjunction with a ProxySG for malware prevention, and that bothdevices have been installed, configured, and licensed.

These are the basic steps you need to perform for amalware prevention solution:

1. Add the ProxyAV for In-Path Threat Detection2. EnableMalware Scanning.3. Configure ProxyAV Scan Settings.4. Test the Threat Protection Policy.5. Install the No Scan Policy for Infinite Streams.6. Monitor Malware and ICAP Scanning.7. Update theMalware Scanning Policy.8. (Optional) Improve the User Experience.9. (Optional) Configure Alert Notification.

Add the ProxyAV for In-Path Threat Detection

When you add a ProxyAV to the ProxySG, an ICAP service is automatically created. The first ProxyAV configured takesthe service name proxyav1 and is amember of the proxyav service group. Each ProxyAV that you subsequently add isautomatically listed as amember of the service group proxyav and is set to perform responsemodification.

1. Log in to the ProxySGManagement Console.

2. Select Configuration > Threat Protection > Malware Scanning.

3. Select New. The Add ProxyAV Appliance dialog displays.

4


4. Enter the host name or IP address of the ProxyAV. Only an IPv4 address is accepted.

5. Choose the connectionmode(s) and ports. The default is plain ICAP on port 1344.

6. Click OK to save your changes and exit the open dialog.

You now have a proxyav1 service that is automatically created to perform responsemodification.

7. Click Perform health check to verify that the ProxyAV is accessible. The health check result is displayedimmediately.

At this point, the ProxyAV and ProxySG are configured to communicate with one another. To verify that the twoappliances are communicating, look at the ICAP service health check on the ProxySG.

8. Select Statistics > Health Checks.

5

Preventing Malware

9. For the icap.proxyav1 service, look at the State. If the appliances are communicating, the State looks like this:

If the appliances aren’t communicating, the State looks like this:

Tip If the ICAP health check failed, seeWhy did the ICAP health check fail? to troubleshoot the problem.

Next Step: Enable Malware Scanning

Enable Malware Scanning

To implement the built-in threat protection policy on the ProxySG, you need to enablemalware scanning.



3. Select the Enable malware scanning check box.

4. Locate the options at the bottom of theMalware Scanning screen.

5. For Protection level, select Maximum protection.6. Leave the other options at their default settings.7. Click Apply.

6


Note: The alternative protection level, high performance, is designed to ensure quick response times for enter-prise users. File types that are deemed to be low risk, such as certain image types, are not scanned when the pro-tection level is set to high performance. Note that Blue Coat recommends using themaximum protection optionfor highest security.

Next Step: Configure ProxyAV Scan Settings

Configure ProxyAV Scan Settings

The ProxyAV Management Console provides several options for controlling scan settings and behavior, such as action totake when a scanning timeout or error occurs.

1. Log in to the ProxyAV Management Console.2. Select Antivirus and click the Scanning Behavior link.

3. Verify that the Heuristic Parameters option is enabled.

When the Heuristic Parameters option is enabled, the AV appliance learns about traffic patterns on your networkand adjusts accordingly to increase performance. After an initial learning period, the ProxyAV should be able toaccelerate about 15 to 30 percent of the network’s traffic. The learning process restarts whenever a new viruspattern file or an updated scanning engine is downloaded.

4. Verify that the Extended options associated with detecting spyware/malware are enabled.

When the options are enabled, scanning stops after the first instance of a virus or spyware. When disabled,scanning stops only after the first instance of a virus is detected (spyware is disregarded).

5. Define how the ProxyAV behaves when a timeout or other scanning error occurs. The Policies for Antivirusexceptions defines whether a file is served or not when the ProxyAV is unable to scan a file. For example, itdefines whether a password protected file or a file is too large to scan is served to the user.

7

Preventing Malware

l block is the default for all options. If set to block, the ProxyAV responds with an ICAP 500 response to theProxySG. In this case, the ProxySG appliance’s response to the client varies depending on whether theProxySG is configured to fail open or to fail closed. When the ProxySG is set to fail open, the unscannedcontent is served to the client unless a policy rule states otherwise. When the ProxyAV is set to block andthe ProxySG is set to fail closed, the content will never be served to the client.

l If serve is selected, the ProxyAV responds with an ICAP 200/204 response to the ProxySG. In this case,the unscanned file is served to the client unless you have created a rule in policy that instructs the ProxySGto serve an exception page to the client.

6. Click Save Changes.

Next Step: Test the Threat Protection Policy

Test the Threat Protection Policy

Before proceeding with further configuration, test the basic deployment to verify the ProxyAV is scanning content anddetectingmalware based on your selections in configuration.

1. Log in to the ProxyAV Management Console.

2. To confirm that the ProxyAV is scanning files, look at the statistics on the ProxyAV home page. The FilesScanned value should increment as clients makeWeb requests. (The browser must be explicitly or transparentlyredirected to the ProxySG appliance.)

3. Verify that the ProxyAV is configured to log ICAP requests. (You will check the log history later to make sure thetest worked.)

a. Select Advanced > Detailed stats > Requests history.

b. Make sure that the Collect last ___ requests field contains a value greater than 0 (zero).

c. Click Save Changes.


5. Prepare the ProxySG for test validation by enabling access logging.

a. Select Configuration > Access Logging > General > Default Logging.

b. Enable the Enable Access Logging check box.

c. Click Apply.

6. Display the log, so that log entries can be viewed during testing.

8


a. Select Statistics > Access Logging > Log Tail.

b. Click Start Tail.

7. Request an “infected” test file.

Note: The file is not actually infected but has a virus signature that identifies it as infected for testing purposes.

a. Open a browser that is either explicitly or transparently redirected to the ProxySG.

b. Go to http://www.eicar.org.

c. Click the Anti-Malware Testfile link.

d. Read the information about the test files, and select one of the files to download (such as eicar.com).

A page should display indicating that the ProxyAV has detected a virus in the file, and that the file has beendropped.

8. Check the ProxySG access log.

a. Go to the ProxySG’s Access Log Tail window.

b. Verify that the access log entry for the eicar file contains an entry for virus detection.

2009-03-12 17:39:51 382 10.9.16.75 - - virus_detected PROXIED "none"http://www.eicar.org/anti_virus_test_file.htm 200 TCP_DENIED GETtext/html;%20charset=%220%22 http www.eicar.org 80 /download/eicar.com.txt -txt "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR2.0.50727)" 10.9.16.76 1000 383 "EICAR test file"

9. Check the ProxyAV ICAP request history.

a. Go to the ProxyAV browser window.

b. Select Advanced > Detailed stats > Requests history.

c. Click Refresh Now.

d. Locate the request for the eicar file.

9

Preventing Malware

e. Verify that the Result field contains VIRUS.

10. Request the same “infected” test file and verify that ProxySG does not send a previously-scanned object to theProxyAV since the response for the object is now in the ProxySG’s cache.

a. Request the same “infected” test file.

b. Go to the ProxyAV Requests History window.

c. Click Refresh Now and verify that there is NOT a second request for the eicar file. (Since the response forthe object was served from the ProxySG cache, it should not have been sent to the ProxyAV for scanning.)

Next Step: Install the No Scan Policy for Infinite Streams

Install the No Scan Policy for Infinite Streams

The default configuration of the ProxyAV triggers errors after a scanned file size exceeds 100MB or after 800 seconds ofscanning. While these settings are appropriate for other types of Web objects, they don’t work for infinite streams such asWeb cams and stock tickers. To conserve system resources and prevent scanning of infinite streams, you can createpolicy to serve a data stream if the error is Maximum file size exceeded or Scan timeout; other errors are denied. BlueCoat has written the CPL for this policy and you can download the file, customize it for your own needs, and install it onyour ProxySG.

1. Copy the following CPL code into Notepad.

; edit the <resp_service> below to be the name of your ICAP respmod service name<cache>response.icap_service(<resp_service>, fail_open)<proxy>condition=!maxfilesizeexceeded_or_scantimeout_errors exception(icap_error)define condition maxfilesizeexceeded_or_scantimeout_errors_or_noneicap_error_code=max_file_size_exceededicap_error_code=scan_timeouticap_error_code=noneend condition maxfilesizeexceeded_or_scantimeout_errors_or_none

10


2. Customize the policy.

a. Save the file to your desktop or other convenient location.

b. Replace <resp_service> with the name of your ICAP response service name (proxyav1).

c. Modify the policy to meet your requirements.

d. Save.


4. Install the policy file.

a. Select Configuration > Policy > Policy Files.

b. From the Install Local File from drop-down list, select Text Editor.

c. Click Install. A browser window displays the Edit and Install the Local Policy File page.

d. Open your CPL file and copy the text.

e. Return to the Edit and Install the Local Policy File page, and paste the contents of the file at the end of thelocal policy file on your ProxySG.

f. Click Install. A dialog displays, informing you whether the installation was successful. If necessary,correctany errors in the file and re-install it.

Next Step: Monitor Malware and ICAP Scanning

Monitor Malware and ICAP Scanning

Use the ProxyAV Management Console to find out details about viruses that it discovers and blocks, and use Blue CoatReporter to view malware detail and summary reports. For monitoring the ICAP scanning process, use the ProxySGMan-agement Console.

Use the ProxyAV toMonitor Virus Scanning 11

Use Reporter to Report onMalware 12

Use the ProxySG toMonitor ICAP Scanning 13

Use the ProxyAV to Monitor Virus Scanning

The ProxyAV tracks historical and current statistics on scanned objects and found viruses. In the ProxyAV ManagementConsole, you can get the following questions answered:

n How many viruses has the ProxyAV blocked?n What was the URL of the virus that was blocked?n Whenwas the virus blocked?

11

Preventing Malware


2. How many viruses has the ProxyAV blocked?To answer this question, view the Home page. It shows statistics about the number of files scanned and number ofviruses caught. These statistics are accumulated since the last reboot of the appliance or the last reset ofcounters.

3. What was the URL of the virus that was blocked?Whenwas the virus blocked?To answer these questions, look at the Requests History.

a. Select Advanced > Detailed stats.

b. Select Requests History.

c. In the Number of requests field, enter the number (0-1000) of requests to display in the list.

d. Click Save Changes.

e. Click Refresh Now to obtain themost current data about processed requests.

Next Step: Use Reporter to Report on Malware

Use Reporter to Report on Malware

For those using Blue Coat Reporter 9.x for their reporting needs, there are a number of malware reports available.

12


Report Title Description

MalwareRequestsBlocked by Site

Lists all URLs that were blocked because of suspected malware presence

Potential Mal-ware InfectedClients

Lists all client IP addresses that might be infected bymalicious content This data is derived bythe URLs requested by each client.

PotentialThreats

Combines potential threats to the network into a single report. The combined data includes threat cat-egories detected by Blue Coat Web Filter content filtering and positive virus identifications detectedby ProxyAV malware scanning.

ProxyAV Mal-ware Detected:Client IP

Lists each instance of malware encountered during employeeWeb browsing, based on theclient IP address that browsed the URL

ProxyAV Mal-ware Detected:Names

Lists the name of each malware code encountered during employeeWeb browsing

ProxyAV Mal-ware Detected:Sites

Lists all URLs that were detected as suspected malware sources

Trend of Poten-tial Threats

Displays a summation threat data sorted by each day in the database. The graph displays thetotal threats detected by Blue Coat Web Filter (content filtering) and ProxyAV (malware scan-ning).

Next Step: Use the ProxySG to Monitor ICAP Scanning

Use the ProxySG to Monitor ICAP Scanning

The ProxySG itself does not have details about malware the ProxyAV finds, but it does offer comprehensive graphs andreports about connections it sends to the ProxyAV for malware scanning. You can view these reports to monitor andtroubleshoot the scanning process . For details onmalware, use reports on the ProxyAV or Blue Coat Reporter.

ICAP Statistics

The ProxySG can display a variety of ICAP statistics in bar chart form as well as in a statistical table.


2. Select Statistics > ICAP.

13

Preventing Malware

3. Select the type of graph.

Active Requests — Plain, secure, deferred, and queued active ICAP transactions (sampled once per minute)

Connections — Plain and secure ICAP connections (sampled once per minute)

Completed Requests — Successful and failed completed ICAP transactions

Bytes — Bytes sent to the ICAP service and received from the ICAP service

Each statistic displays as a different color on the stacked bar graph. By default, all relevant statistics aredisplayed.

Active ICAP Sessions

By default, the Active Sessions screen displays all active sessions. When analyzing ICAP functionality, it’s helpful to fil-ter the list to display only ICAP-enabled sessions.

1. Select Statistics > Sessions > Active Sessions > Proxied Sessions.

2. Select ICAP on the Filter drop-down list.

3. Click Show. The Proxied Sessions table displays the ICAP-enabled sessions.

14


Next Step: Update the Malware Scanning Policy

Update the Malware Scanning Policy

Blue Coat has the ability to update themalware scanning policy without requiring you to upgrade your SG operating sys-tem. You should check for updates on a regular basis. Themalware policy updates are independent of SGOS upgrades.

Updates to the threat protection solution are available as a gzipped tar archive file which can be downloaded to a localWeb server in your network or installed directly on the ProxySG.


2. Click Update malware scanning policy. The Install Malware Scanning Policy dialog displays.

3. (Optional) Enter the Installation URL. By default, the URL is:https://bto.bluecoat.com/download/modules/security/SGv6/threatprotection.tar.gz

If you have downloaded themalware scanning policy to a local Web server, add the URL for the local Web server inthis field.

4. Click Install.

5. (Optional) Click View to view the contents of the updatedmalware scanning policy file. Note: The policy cannot beedited.

6. Click OK to save your changes and exit.

Next Step: Improve the User Experience

Improve the User Experience

To avoid having users abort and reinitiate theirWeb requests due to scanning delays and to prevent connection timeouts,Blue Coat recommends that you enable data trickling for HTTP/HTTPS connections and use patience pages for FTP con-nections.

Data Trickling for HTTP/HTTPS

Scanning large objects, scanning objects over a smaller bandwidth pipe, or high loads on servers might disrupt the userexperience because connection timeouts occur. To prevent such timeouts, you can allow data trickling to occur. In trickle-

15

Preventing Malware

at-endmode, the ProxySG sends the response to the client at the best speed allowed by the connection, except for thelast 16 KB of data which is trickled to the client at a very slow rate.


2. Enable data trickling for interactive (browser-based) traffic:

a. Select Configuration > External Services > ICAP > ICAP Feedback.

b. In the ICAP Feedback for Interactive Traffic section, select Provide feedback.

c. Select Trickle object data at end.3. Enable data trickling for non-interactive traffic:

a. In the ICAP Feedback for Non-Interactive Traffic section, select Provide feedback.

b. Select Trickle object data at end.4. Click Apply.

Patience Pages for FTP

To avoid connection timeouts when large files are downloaded over native FTP and then sent to the ProxyAV for scan-ning, you can have the ProxySG send a patience page to the FTP client. Patience pages are HTML pages displayed to the

16


user if an ICAP content scan exceeds the specified duration. For example, the HTML page can display an informativemessage, such as:The content of the page you requested is currently being scanned. Please be patient...

You can configure the content of these pages to include a custommessage and a help link. Patience pages refresh everyfive seconds and disappear when object scanning is complete.

1. Log in to the ProxySGManagement Console

2. Launch the Visual Policy Manager (VPM).

3. In theWeb Access layer, add the following rule:

Service: Service Name=FTP

Action: Return ICAP Feedback > Provide feedback > Return patience page

4. Install the policy.

Next Step: Configure Alert Notification

Configure Alert Notification

The ProxySG and the ProxyAV can notify network administrators about detected viruses. Because the ProxyAV hasoptions for notifying administrators about blocked and unscanned files, in addition to detected viruses, this sectionfocuses on configuring notification on the ProxyAV.

This topic focuses on configuring e-mail notification of viruses and blocked files. In addition to e-mail notification, you canenable logging and SNMP traps on the ProxyAV.


2. Select which alerts you want e-mail notification, alert log entries, or SNMP traps sent.

17

Preventing Malware

a. Select Alerts. The Alerts table appears. By default, all alerts are enabled for e-mail and logging.

b. Enable/disable alerts as desired.

c. Click Save Changes.

18


3. Configure email notification:a. Select Alerts > Alert Settings.

b. In the Sender e-mail address field, enter the sourcemail address to use for alert e-mails. (This addresswill appear in the From field of the e-mail.) For example: [email protected]

c. In the Recipient e-mail address field, enter the addresses of the people who should receive the alert e-mails, with each address separated by a comma. For example:[email protected],[email protected], [email protected]

d. In the SMTP server address field, enter the IP address for the server.

e. If your server requires that POP authentication be used, select SMTP Authorization (POP-Before-SMTP)Enabled, and then enter the authentication information.

f. Click Save Changes.

19

Preventing Malware

Malware Prevention Troubleshooting

Why did the ICAP health check fail? 20

Why is the ProxyAV not scanning web traffic? 20

Why isn't my ProxyAV getting virus updates? 20

ProxySG runs out of memory during heavy traffic load 21

Why are users complaining about delays inWeb browsing? 22

Why can't users access any websites? 22

What is causing a 500-ICAP Communication Error? 23

How do I send sysinfo to Support? 24

Why did the ICAP health check fail?

Problem: After adding the ProxyAV, the ICAP health check failed.

Resolution: Try the following if the ICAP health check failed:

l Go through the steps again in Add the ProxyAV for In-Path Threat Detection and verify that you have followed theconfiguration steps properly.

l Make sure the ProxySG and ProxyAV are on the same subnet.l Verify that the ProxySG and ProxyAV have the same ICAP service ports. On the ProxyAV, go to ICAP Settings.On the ProxySG, go to Configuration > Threat Protection > Malware Scanning > Edit.

l Make sure the ProxyAV has a valid license.

Why is the ProxyAV not scanning web traffic?

Problem: The ProxyAV's Home page does not show any files being scanned. The Advanced > History Stats page doesnot display any ICAP objects, connections, or bytes for the last hour (or other recent time period). The ProxySG's Stat-istics > ICAP page does not display any requests, connections, or bytes for the last hour (or other recent time period).

Resolution: If the ProxyAV is not scanningWeb traffic, there is likely a configuration error that is preventing the ProxySGfrom sending traffic to the ProxyAV. Here are a few things to double-check:

l Go through the steps again in Add the ProxyAV for In-Path Threat Detection and verify that you have followed theconfiguration steps properly.

l Make sure the ProxySG and ProxyAV are on the same subnet.l Verify that the ProxySG and ProxyAV have the same ICAP service ports. On the ProxyAV, go to ICAP Settings.On the ProxySG, go to Configuration > Threat Protection > Malware Scanning > Edit.

l Make sure the ProxyAV has a valid license.

Why isn't my ProxyAV getting virus updates?

Problem: The network administrator gets an e-mail notification that the anti-virus update failed.

20


Resolution: It’s possible that the DNS server was temporarily down or some other network problem interfered with thevirus update. Try forcing the update:

ProxySG runs out of memory during heavy traffic load

Problem: ProxySG becomes unresponsive and needs to be restarted.

Resolution: Themost common cause of this problem is setting too high of a value for theMaximum number ofconnections for the ICAP service. With too high of a value, ICAP connections start queuing up, and eventuallythe ProxySGwill run out of memory and need to be restarted.When editing the ICAP service, you should usethe Sense settings button to have the ProxySG retrieve the appropriate setting from the ProxyAV. Blue Coatrecommends that you not modify theMaximum number of connections valuemanually; let the Sense set-tings feature determine the appropriate value. To check these settings, go to Configuration > External Ser-vices > ICAP > Edit.

21

Preventing Malware

If you have two ProxySGs sending ICAP requests to a single ProxyAV, you also need to be careful about not setting toohigh of a value for Maximum number of connections. If the Sense settings button determines that themaximum num-ber of connections is 10, you should divide this value by two, and enter this setting on each of the ProxySGs.

Why are users complaining about delays in Web browsing?

Problem: Users complain about delays inWeb browsing.

Resolution: Slow scanning is most likely caused by the ProxyAV attempting to virus scan infinite streams. To avoid thisproblem, Blue Coat recommends that customers implement the no-scan policy. See Install the No Scan Policy for InfiniteStreams.

Why can't users access any websites?

Problem: All users get a deniedmessage in theirWeb browsers when trying to go to any website.

22


Resolution: There are several possible solutions to this problem.

Solution 1: If the ProxyAV is down and your ICAP policy is set to Deny the client request if an error occurs during ICAPprocessing, users will not be able to browse the Internet — all requests will be denied. Thus, if you have enabledmalwarescanning on the ProxySG before setting up the ProxyAV, users will not haveWeb access. Therefore, it’s important tohave the ProxyAV up and running before you enablemalware scanning.

To avoid the inevitable support calls that result from lack of Web access when the ProxyAV is down, youmay want to con-sider changing the ICAP policy to Continue without malware scanning. With this setting, users will be able to browse theInternet when the ProxyAV is down. However, this opens up the network to potential viruses being downloaded during theProxyAV downtime. (Although desktop virus scanners might provide some protection frommalware.) See EnableMal-ware Scanning for details on changing the default setting.

Solution 2: The anti-virus license could be invalid or expired. To check the status of the anti-viruslicense on the ProxyAV, click Antivirus.

Solution 3: If you are using secure ICAP, this issue can be caused by inconsistent secure ICAP settings for the ICAP ser-vice, ProxyAV, and ICAP policy, or incorrect SSL configuration for secure ICAP. See the guide, Integrating the ProxySGand ProxyAV Appliances, for detailed information about secure ICAP.

What is causing a 500-ICAP Communication Error?

Problem: A 500-ICAP Communication Error response appears in a user's browser.

Resolution: Try the following to diagnose the issue:

l Examine the error response. The page contains the description of the error and additional details from the anti-virusengine.

23

https://bto.bluecoat.com/doc/12901

https://bto.bluecoat.com/doc/12901

Preventing Malware

l Examine the ProxySG event logmessages. If the ProxySG is not able to establish a connection with the ProxyAVappliance, it logs the followingmessage: Cannot establish connection to service.

l Examine the ProxyAV appliance AlertLogFile.log file for the failure reasons. All file-scanning failures, such astimeout, file too big, and decompression errors,are logged here.

Note: When you open the AlertLogFile.log file using the option View log file in browser, the complete file might notbe displayed, as the file is often too long to be displayed in the browser. Use a text editor to open the log file to seeall the error messages. Themost recent error messages display at the bottom of the file.

How do I send sysinfo to Support?

Problem: When you are experiencing problems with your ProxySG or ProxyAV appliances, Blue Coat Support will fre-quently request that you send system information (syinfo) for the appliance to help troubleshoot the problem.

Resolution:To send ProxySG sysinfo:

1. Log in to the ProxySGManagement Console.2. Select Maintenance > Service Information > Send Information > Send Service Information.3. For the Service Request Number, enter the SR number that Support assigned to your case.4. Select SYSInfo.5. Click Send.

To send ProxyAV service information:

1. Log in to the ProxyAV Management Console.2. Select Advanced > Troubleshooting.3. Make sure Enable keeping Troubleshooting information files is selected and click Save Changes.4. For the Service Request Number, enter the SR number that Support assigned to your case.5. Click Send.

24

proxysg first steps: preventing malware - symantec ·...

Documents