Scan with McAfee anti-virus

The McAfee Anti-Virus filter scans incoming HTTP requests and their attachments for viruses and exploits. For example, if a virus is detected in a MIME attachment or in the XML message body, the API Gateway can reject the entire message and return a SOAP Fault to the client. In addition, this filter supports cleaning of messages from infections such as viruses and exploits. It also provides scan type presets for different detection levels, and reports overall message status after scanning.


McAfee virus scanner integration requires the McAfee Scan Engine and a valid McAfee license. The required third-party binaries are included in your API Gateway installation.


To configure the McAfee Anti-Virus filter, perform the following steps:

  1. Enter a name that indicates the role of this filter in the Name field.
  2. Select a Scan type from the list. The available options are as follows:
    • Custom
    • Enables you to set the Custom options described in Custom options. This provides backwards compatibility with earlier API Gateway versions.
    • Normal
    • Processes the entire message detecting exploits and viruses in the message headers, macros, multi-file archives, executables, MIME-encoded/UU-encoded/XX-encoded/BinHex and TNEF/IMC format files. Performs heuristic analysis to find new viruses and potentially unwanted programs. This is the default scan type. For more information, see Custom options for normal or fast scans.
    • Fast
    • Detects infections in the top level of each message part, such as exploits that use headers and multiple bodies. The detection is less precise, but the performance is better if the top-level object is infected. For more information, see Custom options for normal or fast scans.
    • Multi-pass
    • Combines the Normal and Fast scan types. The Fast scan (pass 1) runs first on the whole message with no cleaning. The scanner stops if it finds an infected object, and if the clean type is set to No cleaning, the scanner reports the infection, or otherwise deletes the message. If pass 1 does not detect any virus or exploit, the Normal scan (pass 2) runs with the specified clean type and provides more precise detection.
  3. Select a Clean type from the list. The available options are as follows:
    • No cleaning
    • Fails if any infection is detected. This is the default clean type.
    • Always remove infected parts
    • Removes the infected message part, and does not try to repair it.
    • Attempt to repair infected parts
    • Attempts to repair the found infection (if repairable), otherwise deletes the infected message part.
Note   When existing policies are upgraded to the current API Gateway version, the McAfee Anti-Virus filter scan type is set to Custom and the clean type is set to No cleaning for backwards compatibility.

Custom options

When you configure a custom scan type, the following Custom options are available:

Decompress Archives:

This instructs the filter to scan each file in an archive for viruses. Types of archived files include the ZIP, JAR, TAR, ARJ, LHA, PKARC, PKZIP, RAR, WinACE, BZip, and Zcompress formats.

Decompress Executables:

Executables are sometimes compressed to decrease overall message size. In such cases, any embedded viruses are also compressed and may be missed by conventional scans. If this option is selected, the filter decompresses the executable before scanning it for viruses.

Fail Any Macros:

A macro is a series of commands that can be invoked in a single command or keystroke. While calling the macro can appear to be harmless, the initiated command sequence may be harmful. Macros are usually configured to run automatically when the host document is opened. When this option is selected, the API Gateway fails if any macro is detected in a compound document (whether it matches a virus signature or not). An appropriate SOAP Fault is returned to the client.

Heuristic Program Analysis:

A heuristic virus detection algorithm runs a series of probing tests on a file in an attempt to solicit virus-like behavior from it. Based on the results of these tests, the algorithm can then make an educated guess on whether the file represents a potential threat or not. For example, programs that attempt to modify or delete files, invoke email clients, or replicate themselves all display virus-like behavior and so may be treated as viruses by the scanner.

The major advantage of this type of analysis is that new viruses can be detected. With the signature detection method, the scanner attempts to find a fixed number of known virus signatures in a file. Because the number of known signatures is fixed, new or unknown viruses can not be detected. If this option is selected, the filter runs heuristic analysis on executables only.

Heuristic Macro Analysis:

When this option is enabled, the filter runs heuristic detection analysis on macros contained in any body parts of the message. If any viruses are detected, the message is blocked. If this option is selected, the API Gateway searches for virus signatures in the respective body parts of a MIME message. However, it can only search for known viruses using this method.

Note   Macros embedded in MIME parts are also scanned for virus signatures.

Scan Embedded Scripts:

The API Gateway can scan MIME parts, such as HTML documents, for embedded scripts. If this option is selected, the filter scans for embedded scripts.

Scan for Test Files:

When this option is selected, the API Gateway fails if it encounters an anti-virus test file (for example, This is a convenient way to check that the anti-virus filter successfully detects known viruses.

Custom options for normal or fast scans

The custom options are disabled when you select the normal or fast scan types. The custom options used for these options (where applicable) are as follows:

  Normal scan type Fast scan type
Decompress Archives On Off
Decompress Executables On N/A (instead, ignore certain compressed executables)
Fail Any Macros N/A (instead, all macros are scanned) N/A (instead, ignore macros in compound documents)
Heuristic Program Analysis On Off
Heuristic Macro Analysis On Off
Scan Embedded Scripts On Off
Scan for Test Files Off Off

Message status

When the scan is complete, the McAfee Anti-Virus filter reports the overall message status in the mcafee.status message attribute, which is generated by the filter. This reflects the overall status of the scan for all message parts, and includes one of the following values:

NOVIRUS No virus or exploit detected in the message.
INFECTED Infection detected in the message.
REPAIRED Message repaired.
REMOVED Some or all message parts successfully removed.
REPAIRED, REMOVED Some message parts successfully repaired and some others removed.

Load McAfee updates

When the McAfee Anti-Virus filter has been loaded, it searches for virus definitions in the following directory:


When these have been loaded, it periodically checks for the presence of a directory named as follows:


If the directory is found, the scanner is stopped and the datv2 directory is renamed to datv2.0. If a datv2.0 directory already exists from a previous rollover, a datv2.1 directory is created instead, and so on, until the limit of 50 is reached (datv2.50). When the limit of 50 is reached you must remove the old files. This means that the server never deletes the old files, and rolls them out of the way.

When the engine is stopped and restarted, any messages that require scanning are suspended until the restart completes. In addition, an initiated reload is suspended until all currently active scans are completed.

Like all file system scanning approaches, there is an inherent ordering problem. If you create the directory before copying the files into the directory, the scanner may pick up the new directory before it is ready to be used. For example, you might experience problems if you enter the following commands from the INSTALL_DIR/apigateway/conf/plugin/mcafee directory:

cp /var/tmp/mcafee/newfiles/*.*

You can use the following commands to prevent this problem:

mkdir datv2.tmp
cp /var/tmp/mcafee/newfiles/*.* datv2.tmp 
mv datv2.tmp

These create a temporary folder, copy the files into this folder, and rename the temporary folder to In this way, the scanner is guaranteed to pick up the virus definition files when it detects the new directory.

Related Links