Port 1344: ICAP — The virus scanner's door

Port 1344 carries ICAP traffic—the Internet Content Adaptation Protocol. Every time a proxy server intercepts your web request and sends it to a virus scanner before delivering the content to your browser, that's ICAP at work.¹

What ICAP Does

ICAP is a lightweight HTTP-like protocol specified in RFC 3507.² It exists to extend transparent proxy servers without making them do everything themselves. Virus scanning is resource-intensive, signature databases update constantly, and content filtering requires specialized logic. ICAP lets proxy servers delegate these tasks to servers built specifically for them.

The protocol works simply: an ICAP client (usually a proxy or gateway) sends HTTP requests or responses to an ICAP server on port 1344. The server analyzes or modifies the content—scanning for viruses, filtering based on policy, inserting ads, translating languages—then returns it to the client.³ The proxy can focus on proxying. The scanner can focus on scanning.

Two Modes

ICAP operates in two modes:⁴

REQMOD (Request Modification) — The proxy sends HTTP requests to the ICAP server before fetching the content. Used for URL filtering, policy enforcement, blocking access to certain sites before the request even goes out.

RESPMOD (Response Modification) — The proxy sends HTTP responses to the ICAP server before delivering them to the user. Used for virus scanning, data loss prevention, content filtering. The user's browser waits while the ICAP server decides if the content is safe.

Common Uses

ICAP is generally used for:⁵

• Virus scanning — Multi-engine antivirus scanning of web content before delivery
• Content filtering — Blocking inappropriate content, enforcing acceptable use policies
• Data loss prevention — Scanning outbound traffic for sensitive information
• Ad insertion — Injecting advertisements into web pages (controversial, but common)
• Content translation — Language translation, format conversion

The History

ICAP was proposed in late 1999 by Network Appliance.⁶ By the early 2000s, it was already in widespread use—proxy vendors and security companies had adopted it because it solved a real problem. The IETF decided to document existing practice rather than create a new standard from scratch.

RFC 3507 was published in April 2003 as an informational RFC, not a standards-track document.⁷ This is unusual—most protocols are standardized first, then implemented. ICAP was implemented first, then standardized. The industry decided it worked and kept using it.

Security Considerations

ICAP itself doesn't provide encryption. Traffic between the proxy and the ICAP server on port 1344 is typically unencrypted, which means it should only run on trusted internal networks.⁸ Some implementations support secure ICAP (ICAPS) using TLS, but this isn't part of the original RFC.

ICAP servers can become bottlenecks. If every HTTP response must be scanned before delivery, and the ICAP server is slow or overloaded, users wait. Performance matters.

Related Ports

• Port 80 — HTTP traffic that ICAP often inspects
• Port 443 — HTTPS traffic (requires SSL/TLS interception before ICAP can inspect the decrypted content)
• Port 3128 — Squid proxy, a common ICAP client
• Port 8080 — Alternative HTTP proxy port, also used with ICAP

How to Check What's Listening

On Linux or macOS:

sudo lsof -i :1344

On Windows: netstat -ano | findstr :1344

On any system with nmap: nmap -p 1344 localhost

Why This Port Matters

Port 1344 represents a design philosophy: specialization over monoliths. Proxy servers proxy. Virus scanners scan. ICAP is the bridge that lets them work together without either having to do the other's job.

The protocol is nearly 25 years old and still widely deployed. Web traffic has grown exponentially, threats have evolved, but the fundamental problem—how do you scan content without slowing everything down—remains the same. ICAP's answer: offload the work to something built for it.

Every piece of malware blocked by your corporate proxy, every inappropriate site filtered before the page loads, every outbound file scanned for sensitive data—much of that happens because port 1344 exists.