Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Advanced file analysis
Administrator Help | Forcepoint Email Security | Version 8.5.x
Advanced file analysis is a cloud-hosted or on-premises sandbox for deep content inspection of types of files that are common threat vectors (for example, document, executable, data, or archive files). Use the advanced file analysis filter to configure file type analysis for your network.
The cloud sandbox capability is available only if your subscription includes Forcepoint Advanced Malware Detection for Email - Cloud. For on-premises analysis, you need to deploy a separate Forcepoint Advanced Malware Detection for Email - On-Premises.
Configure the advanced file analysis platform on the page Settings > General > Advanced File Analysis. You may select only one platform for advanced file analysis. See Selecting advanced file analysis platform. When you configure an advanced file analysis filter, the platform selected on the Advanced File Analysis page is reflected on the Add/Edit Filter page. Available filter settings depend on the platform used.
The filter can be used in either monitor or enforce mode, with an option for sending a notification message when the enforce mode is active, when the filter is triggered, and when the attachment is sent to advanced file analysis. You can define conditions that, when met, allow a message to bypass the advanced file analysis filter.
Configure advanced file analysis filter
1.
*
Message is delivered to its recipient and a copy is sent to advanced file analysis. If analysis determines that the attachment is clean, no report is returned. If analysis determines that the attachment is malicious, the message is copied to a specified queue. A notification email can be sent regarding the analysis result. This is the default.
Configure the corresponding filter action to ensure that the email message that triggered the filter is delivered to its recipient along with the attachment (Main > Policy Management > Actions). The default queue is the virus queue. See Managing filter actions.
*
Message is held in a queue until advanced file analysis is performed. If analysis determines that the attachment is clean, message processing is resumed. If analysis determines that the attachment is malicious, the email is quarantined. A notification email can be sent regarding the analysis result.
Configure the corresponding filter action to ensure that the email message that triggered the filter is dropped and saved to a specified queue (Main > Policy Management > Actions). The default queue is the virus queue. See Managing filter actions.
a.
(Only applicable if Enforce is selected in step 1) Notify the recipient when analysis is underway, mark the check box Send enforcement notification.
Selection displays the Notification Properties section with functionality to configure the notification email, which contains the original message as an attachment. The message attachment is handled as follows:
*
*
b.
*
The default is Administrator. If you select this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).
Selection of Custom enables a text field to enter the sender address. If you choose this option, you can designate only one sender address.
c.
From Recipient, mark the check box for one or more message recipients; Original email recipient, Administrator, or Custom.
The default is Administrator. If you select this option, you must configure a valid administrator email address on the page Settings > General > System Settings (see Setting system notification email addresses).
*
*
In the text field Subject, enter the subject to be displayed when the notification is received.
*
In the text field Content, enter the text to be displayed in the notification message body.
*
The default is Do not attach message.
2.
Expand top-level categories; click the plus sign.
Select all file types in a category; mark the check box for the top-level file type.
Select all categories; at the top of the File Types list, mark the check box All file types.
This option is not available for the Advanced Malware Detection - On-Premises platform.
3.
The Add Bypass Condition dialog box displays to configure the following settings:
*
In the text field Condition name, enter a name for each set of bypass conditions.
*
In the text field Sender email address/domain, enter an individual email address or domain.
Use an asterisk (*) for wildcard entries and separate multiple entries with a semicolon (;).
*
In the text field Attachment filename keyword, enter a character string that is included in the attachment filename.
Use an asterisk (*) for wildcard entries.
*
The settings are saved and the new condition displays in the list of bypass conditions.
4.
(Optional) Mark the check box Bypass advanced file analysis if message size exceeds.
In the text field, enter a message size in MB for the cloud-hosted file sandbox (default is 32), or enter a value that equals the maximum file size accepted by that appliance for Advanced Malware Detection - On-Premises.
Selection indicates to use message size to determine whether advanced file analysis is bypassed.
5.
The advanced file analysis filter settings are saved. See Creating and configuring a filter action for information about configuring an action for the advanced file analysis filter.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2022 Forcepoint. All rights reserved.