Views:

CEF ICAP Pre-scan Detection Logs

CEF Key
Description
Value
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Analyzer
Header (pver)
Appliance version
Example: 7.1.0.1088
Header (eventid)
Signature ID
200129
Header (eventName)
Event name
ICAP_PRESCAN_EVENT
Header (severity)
Risk level
8
rt
Log generation time
Example: May 31 2021 15:56:04 GMT+08:00
dvcmac
Appliance MAC address
Example: 00:0C:29:56:B3:57
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
deviceExternalId
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
src
Source IPv4 address
Example: 10.1.144.199
dst
Destination IPv4 address
Example: 10.1.144.198
fileHash
SHA1
Example: 1EDD5B38DE4729545767088C5CAB395E4197C8F3
fileType
True file type
Example: RIFF bitmap file
fname
File name
Example: excel.rar
cn1Label
Sample type
sampleType
cn1
Sample type
  • 0: File sample
  • 1: URL sample
request
URL
Example: http://example.com:80/
cs1Label
Malware name
malName
cs1
Malware name
Example: HEUR_NAMETRICK.A
cs2Label
submitterName
  
cs2
ICAP client
Example: 10.205.190.3
cs3Label
icapMode
  
cs3
ICAP mode
Example:
  • REQMOD: ICAP Request modification method
  • RESPMOD: ICAP Response modification method
cs4Label
sourceUser
  
cs4
X-Authenticated-User ICAP header sent by the ICAP client
Example: test.com
cs5Label
identifiedBy
  
cs5
The name of the detection module that processed the object
Example:
  • Web Reputation Services
  • Advanced Threat Scan Engine
  • Virtual Analyzer
  • Suspicious Object
  • User-defined Suspicious Object
  • YARA Rule (+ Yara_file_name)
  • Predictive Machine Learning Engine
  • ICAP: Password-protected file (bypass scanning)
  • ICAP: Password-protected file (non-malicious, unextracted)
cs6Label
sha256
  
cs6
SHA256
Example: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
Log sample:
CEF:0|Trend Micro|Deep Discovery Analyzer|7.1.0.1088|20012
9|ICAP_PRESCAN_EVENT|8|rt=Aug 01 2021 02:31:35 GMT+00:00 d
vc=10.2.3.100 dvchost=DDAN dvcmac=00:50:56:98:33:69 device
ExternalId=627EE441-DD62-4483-B9E4-60B3C8A92529 src=10.2.1
1.122 cn1Label=sampleType cn1=1 fileHash=317D137FE590EE561
648ECA137CB2B6898526115 request=http://wrs21.test.com:80/ 
cs1Label=malName cs1=TSPY_KEYLOG.GC cs2Label=submitterName
 cs2=10.2.1.6 cs3Label=icapMode cs3=REQMOD cs4Label=source
User cs5Label=identifiedBy cs5=Web Reputation Services cs6
Label=sha256 cs6=F5C748A953D23B8CE4F5C792FDC1E7987471DD48F
E24ABA07C3CFD10B4AEF72F

CEF:0|Trend Micro|Deep Discovery Analyzer|7.1.0.1088|20012
9|ICAP_PRESCAN_EVENT|8|rt=Aug 01 2021 02:31:31 GMT+00:00 d
vc=10.2.1.52 dvchost=DDAN dvcmac=00:50:56:98:33:69 deviceE
xternalId=627EE441-DD62-4483-B9E4-60B3C8A92529 dst=10.2.1.
122 src=10.2.1.123 cn1Label=sampleType cn1=0 fname=3-layer
.zip fileType=ZIP archive fileHash=D7273555CB0AC08303415CB
EB3F3D72DD0893BC4 request=http://test.com/3-layer.zip cs1L
abel=malName cs1=Eicar_test_file,TROJ_OLEXP.TPD cs2Label=s
ubmitterName cs2=10.2.1.6 cs3Label=icapMode cs3=RESPMODE c
s4Label=sourceUser cs5Label=identifiedBy cs5=Advanced Thre
at Scan Engine cs6Label=sha256 cs6=08F18BC62297A67DD91E192
A27C1EEDE3C1BBEE19A90FC0B1FADD07CE93B9823