Large Http Objects Handling; Method Of Deferred Scan; Partial Scan Technique - ESET GATEWAY SECURITY Installation Manual

The second step of the ICAP configuration method is activating the ICAP client functionality
within the Proxy Cache. The ICAP client must be configured in order to properly request the
esets_icap for the infiltration scanning service. The initial request line of the ICAP request must
be entered as follows:
METHOD icap://server/av_scan ICAP/1.0
In the above example, METHOD is the ICAP method used, 'server' is the server name (or IP
address), and /av_scan is the esets_icap infiltrations scanning service identifier.

5.4. Large HTTP Objects Handling

Under normal conditions, objects are first transferred from the HTTP server (or client) to
esets_http, scanned for infiltrations and then transferred to the HTTP client (or server). For
large files (the large objects whose transfer time is larger than the timeout defined by the
parameter lo_timeout) this is not an optimal scenario–the user agent's timeout setting or the
user's impatience can cause interrupts or even canceling of the object transfer. Therefore, other
methods of processing large objects must be implemented. These are described in the following
two sections.

5.4.1. Method of deferred scan

With esets_http, a technique known as the 'deferred scan' method of handling large files can
be employed. This means that if the object transferred becomes too large, esets_http will begin
to send the object transparently to an awaiting HTTP end-point, such as a client or server. After
the last part of the object has arrived, the object is scanned for infiltrations. If the object has been
found as infected, the last part of the object (last 4KB of object's data) is not sent to the awaiting
end-point and the connection to the end-point is then dropped. Meanwhile, an email message
containing details about the dangerous file transfer is sent to the Gateway administrator. This
email notification is sent only in a server-to-client data transfer. Additionally, the URL of the
source object is stored in the esets_http cache in order to block the source transfer if requested
again.
Be aware that the 'deferred scan' technique described above presents a potential risk to the
computer requesting the infected file for the first time. This is because some parts of the already
transferred data can contain executable, dangerous code. For this reason, ESET developed a
modified version of the 'deferred scan' technique, known as the 'partial scan' technique.

5.4.2. Partial scan technique

The 'partial scan' technique has been developed as an additional safeguard to the 'deferred
scan' method. The principle of the 'partial scan' technique is based on the idea that the scanning
time of a large object is negligible compared to the overall processing time of the object. This
concept is especially evident with large object HTTP transfers, as significantly more time is needed
to transfer the object than to scan it for infiltrations. This assumption allows us to perform more
than one scan during a large object transfer.
20 ESET Gateway Security