Advanced file analysis

Administrator Help | TRITON AP-EMAIL | Version 8.3.x

Advanced file analysis is a cloud-hosted or on-premises sandbox for deep content inspection of types of files that are common threat vectors (for example, document, executable, data, or archive files). Use the advanced file analysis filter to configure file type analysis for your network.

The cloud sandbox capability is available only if your subscription includes the Email Sandbox Module. For on-premises analysis, you need to deploy a separate Threat Protection appliance environment.

Configure your advanced file analysis platform on the Settings > General > Advanced File Analysis page. You may select only one platform for advanced file analysis. See Selecting advanced file analysis platform for information.

When you configure an advanced file analysis filter, the platform selected on the Advanced File Analysis page is reflected in the Add/Edit Filter page File analysis platform entry field. Available filter settings depend on the platform used, as noted in the following sections.

The filter can be used in either monitor or enforce mode, with an option for sending a notification message when the enforce mode is active, the filter is triggered, and the attachment is sent to advanced file analysis. You can define conditions that, when met, allow a message to bypass the advanced file analysis filter.

After you select the advanced file analysis filter type and enter a name and description, specify 1 of the following operational modes for the filter:

Monitor (default). Message is delivered to its recipient, and a copy is sent to advanced file analysis. If analysis determines that the attachment is clean, no report is returned. If analysis determines the attachment is malicious, the message is copied to a specified queue. A notification email regarding the analysis result can be sent.

The corresponding filter action should be configured to ensure that the email message that triggered the filter is delivered to its recipient along with the attachment (Main > Policy Management > Actions).

Enforce. Message is held in a queue until advanced file analysis is performed. If analysis determines that the attachment is clean, message processing is resumed. If analysis determines the attachment is malicious, the email is quarantined. A notification email regarding the analysis result can be sent.

The corresponding filter action should be configured to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). Default queue is the virus queue.

Enforce and notify. Message is held in a queue until advanced file analysis is performed, and an email notifying the recipient that analysis is underway can be sent. Mark the Send enforcement notification check box to configure this message, which contains the original message as an attachment. The message attachment is handled as follows:

Some file types are converted to plain text (for example, .pdf, .doc/.docx, .xls/.xlsx, and .ppt/.pptx).

Files of other types are removed and only the filename appears in the message (for example, .exe and archive files).

The email notification contains the following components:

Sender. Identify the notification message sender, from among the following options:

Original email sender

Administrator (default). If you use this option, you must configure a valid administrator email address in the Settings > General > System Settings page (see Setting system notification email addresses).

Custom. If you choose this option, you can designate only 1 sender address.

Recipient. Identify the notification message recipient, from among the following options:

Original email recipient

Administrator. If you use this option, you must configure a valid administrator email address in the Settings > General > System Settings page (see Setting system notification email addresses).

Custom. If you choose this option, you can designate 1 or more recipient addresses, separated by semicolons.

Subject. Enter the subject that you want to be displayed when the notification is received.

Content. Enter the text that you want to be displayed in the notification message body.

Attachment. Specify whether you want to include the original message as an attachment to the notification message. Select from among the following:

Do not attach message (default)

Attach filtered message

See Creating and configuring a filter action for information about configuring an action for the advanced file analysis filter.

Select the file types you want the cloud-hosted file sandbox to find and analyze by marking the appropriate check boxes. This option is not available for the Threat Protection platform.

You can configure bypass options for messages that you want to skip advanced file analysis. Click Add in the bypass conditions section and specify the following information:

Condition name. Specify a name for each set of bypass conditions.

Sender email address/domain. Enter an individual email address or domain. Use an asterisk (*) for wildcard entries, and separate multiple entries with a semicolon (;).

Attachment filename keyword. Enter a character string that is included in the attachment filename.

Edit an existing bypass condition set by clicking the condition name in the bypass conditions table.

If you want message size to determine whether advanced file analysis is bypassed, mark the Bypass advanced file analysis if message size exceeds check box and enter the target file size. Enter a value from 1 to 32 for the cloud-hosted file sandbox (default is 32 MB). For Threat Protection, enter a value that equals the maximum file size accepted by the Threat Protection appliance.