Kaspersky Anti Targeted Attack Platform
6.0
English

Contents

Managing ICAP exclusions

Users with the Senior security officer can create an ICAP exclusion list, that is, a list of data that Kaspersky Anti Targeted Attack Platform must not scan. You can create ICAP exclusion rules for the following data:

  • Format.
  • User Agent.
  • MD5.
  • URL mask.
  • Source IP or subnet.

Users with the Security auditor and Security officer roles can view the list of ICAP exclusion rules.

In distributed solution mode, ICAP exclusions created on an SCN apply to all Sensor components connected to that SCN. ICAP exclusions created on a PCN apply to the SCN installed on the same device as the PCN and to all Sensor components connected to that SCN.

In this section

Viewing the ICAP exclusion table

Adding a rule to ICAP exclusions

Removing rules from ICAP exclusions

Editing or disabling a rule in the ICAP exclusion list

Filtering rules in the ICAP exclusion list by criterion

Filtering rules in the ICAP exclusion list by value

Filtering rules in the ICAP exclusion list by state

Resetting rule filtering conditions in the ICAP exclusion list
Page top
[Topic 262385]

Viewing the ICAP exclusion table

To view the ICAP exclusion table:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.

The table of data that Kaspersky Anti Targeted Attack Platform must not scan is displayed. You can filter the rules by clicking links in column headers.

The table columns contain the following information:

  • Value—Value of the criterion.
  • Criteria—Criterion for adding an entry to the list of allowed objects.
  • State is the state of the rule.
Page top
[Topic 262386]

Adding a rule to ICAP exclusions

ICAP exclusion rules are processed if a rule for the data has not been previously added to the scan exclusion rules.

To add rule to ICAP exclusions:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. In the upper-right corner of the application web interface window, click Add.

    This opens the New rule window.

  4. Move the State toggle switch to the position you need.

    By default, the toggle switch is in the Enabled position.

  5. In the Criteria drop-down list, select one of the following criteria for adding a rule to the list of ICAP exclusions:
    • Format.
    • User Agent.
    • MD5.
    • URL mask.
    • Source IP or subnet.
  6. Depending on the selected criterion, in the Value field, specify the following information:
    • If you selected Format, select the file format that you want to add from the drop-down list.

      When you add an ICAP exclusion rule by format, web page content of the corresponding format is loaded without scanning, and the display of web pages is not disrupted.

    • If you selected User Agent, enter the User agent header of HTTP requests containing browser information.
    • If you selected MD5, enter the MD5 hash of the file.
    • If you selected URL mask, enter the URL mask.

      You can use the following special characters in the mask:

      * – any sequence of characters.

      Example:

      If you enter *abc* as the mask, the application does not scan any URL that contains the sequence abc. For example, www.example.com/download_virusabc

      ? – any single character.

      Example:

      If you enter example_123?.com as the mask, the application does not scan any URL that contains the given character sequence and any character following 3. For example, example_1234.com

      If the * or ? characters are part of the full URL that you want to add to the list of scan exclusions, use the \ character when entering the URL to escape a single *, ?, or \ character that follows it.

      Example:

      You need to add the following URL as a trusted address: www.example.com/download_virus/virus.dll?virus_name=

      You do not want the application to treat ? as a special mask character so you put a \ character before the ? character.

      The URL added to the list of scan exclusions looks as follows: www.example.com/download_virus/virus.dll\?virus_name=

      In the URL mask field, you can enter domain names containing Cyrillic characters. In this case, the address is converted to Punycode and processed in accordance with application settings.

    • If you selected Source IP or subnet, enter an address or subnet (for example, 255.255.255.0).
  7. Click Add.

The rule is added to the ICAP exclusion list.

Users with the Security auditor and Security officer roles cannot add an ICAP exclusion rule.

Page top
[Topic 262387]

Removing rules from ICAP exclusions

To remove one or more rules from ICAP exclusions:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Select the check box to the left of each rule that you want to remove from the list of ICAP exclusions.

    If you want to delete all rules, select the check box above the list.

  4. In the lower part of the window, click Delete.
  5. This opens a window; in that window, click Yes to confirm the deletion of rules.

The selected rules are removed from the list of ICAP exclusions. Data that was previously listed in the ICAP exclusion rules are now scanned by Kaspersky Anti Targeted Attack Platform.

Users with the Security auditor and Security officer roles cannot remove entries from the list of ICAP exclusions.

Page top

[Topic 262389]

Editing or disabling a rule in the ICAP exclusion list

To edit a rule in the ICAP exclusion list:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Select the rule that you want to modify.

    This opens the Edit rule window.

  4. Make the necessary changes to the State, Criteria, and Value fields.
  5. Click Save.

The rule is modified.

To disable a rule in the ICAP exclusion list:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. To the right of the rule that you want to disable in the ICAP exclusion list, in the State column, move the toggle switch to the Disabled position.
  4. This opens a window; in that window, click Yes to confirm the disabling of the rule.

The rule is disabled.

Users with the Security auditor and Security officer roles cannot edit or disable rules in the list of ICAP exclusions.

Page top

[Topic 262388]

Filtering rules in the ICAP exclusion list by criterion

To filter rules in the ICAP exclusion list by criterion:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Click the Criteria link to open the filter configuration window.
  4. Select one or more check boxes next to criteria by which you want to filter the rules:
    • Format.
    • User Agent.
    • MD5.
    • URL mask.
    • Source IP or subnet.
  5. Click Apply.

    The filter configuration window closes.

The list of ICAP exclusions displays only rules that match the specified filtering conditions. You can filter by the Value and State columns at the same time.

Page top
[Topic 263622]

Filtering rules in the ICAP exclusion list by value

To filter rules in the ICAP exclusion list by value:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Click the Value link to open the filter configuration window.
  4. Enter a value.
  5. Click Apply.

The list of ICAP exclusions displays only rules that match the specified search conditions. You can filter by the Criteria and State columns at the same time.

Page top

[Topic 263623]

Filtering rules in the ICAP exclusion list by state

To filter rules in the ICAP exclusion list by state:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Click the State link to open the filter configuration window.
  4. Select the check box next to one of the values:
    • Enabled.
    • Disabled.
  5. Click Apply.

The list of ICAP exclusions displays only rules that match the specified search conditions. You can filter by the Criteria and Value columns at the same time.

Page top
[Topic 264656]

Clearing rule filter conditions in the ICAP exclusion list

To clear the filter conditions for rules in the ICAP exclusion list:

  1. In the main window of the application web interface, select the Settings section, Exclusions subsection.
  2. Open the ICAP tab.
  3. Click Delete to the right of the header of the Value, Criteria, or State column in the table for which you want to reset the filter conditions.

    If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filter conditions are cleared. The list of ICAP exclusions displays only rules that match the specified conditions.

Page top
[Topic 263624]