Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Analysis > Scanning options > Security threats: File analysis
Security threats: File analysis
Web Security Help | Web Security Solutions | Version 7.8.x
Related topics:
*
Scanning options
*
Content categorization
*
Security threats: Content security
*
Outbound security
*
Advanced options
*
Scanning exceptions
*
Reporting on advanced analysis activity
File analysis inspects files that users attempt to download or open remotely for viruses and other malicious content. File analysis returns a category to Filtering Service for policy enforcement.
There are 5 types of file analysis. They can be used together.
*
Advanced Detection applies techniques developed by Websense to discover known and emerging threats, including viruses, Trojan horses, worms, and other malicious content.
*
Antivirus Scanning uses antivirus definition files to identify virus-infected files.
*
ThreatScope™ Analysis sends files that fit a profile defined by Websense Security Labs to a cloud-hosted sandbox for activation and observation. If a file is found to be malicious, an email alert is sent to the Web Security alert recipient that contains a description of the threat, a link to a detailed ThreatScope report, and a link to an Investigative Report built from your log database.
ThreatScope is a premium feature available to Web Security Gateway Anywhere subscribers. A full description is included in the step-by-step configuration section, below.
*
Rich Internet application scanning examines Flash files for malicious content.
*
FTP file scanning examines inbound FTP files for malicious content.
You can configure the specific types of files to analyze by clicking File Type Options. (Settings do not apply to ThreatScope.)
 
* 
Note 
If file analysis is configured to include multimedia files, sometimes when the streaming media is buffered and analyzed, the connection to the server times out. In such cases, the best remedy is to create an exception for that site. See Scanning exceptions.
Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (Scanning exceptions).
Use the Settings > Scanning > Scanning Options page to enable and configure file analysis.
Advanced Detection
1.
Select Off to disable file analysis.
2.
Select On (default) to enable file analysis on files from uncategorized sites and files from sites with elevated risk profiles, as identified by Websense Security Labs.
3.
Select Aggressive analysis to analyze inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.
Antivirus Scanning
1.
Select Off to disable antivirus analysis.
2.
Select On (default) to enable antivirus analysis of files from uncategorized sites and files from sites with elevated risk profiles, as identified by Websense Security Labs.
3.
Select Aggressive analysis to apply antivirus analysis to inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.
ThreatScope™ Analysis
This option is available to ThreatScope Cloud Services subscribers only.
1.
Select Off (default) to disable ThreatScope analysis.
2.
Select On to send qualified executable files to the cloud-hosted sandbox for analysis.
3.
Select Submit additional documents to send additional supported file types to ThreatScope for analysis.
A file that qualifies for ThreatScope sandboxing:
*
Is not classified as "malicious" in the Websense Master Database
*
Passes all Security Threats: File Analysis analytics
*
Fits the Websense Security Labs profile for suspicious files
*
Is a supported file type. Executable files are always supported. See the knowledge base article titled: ThreatScope Supported File Types.
 
* 
Note 
Because the file was not detected as malicious, it was not blocked and has been delivered to the requester.
* 
Important 
To receive ThreatScope email messages, which is the only mechanism used by ThreatScope to report malicious files, you must enable and configure email alerts.
Go to Settings > Alerts > Enable Alerts, select Enable email alerts and specify an Administrator email address. Also confirm that your SMTP settings are correct.
* 
Important 
The Content Gateway web proxy manages on-premises ThreatScope traffic.
Traffic is sent to:
*
*.websense.net
*
*.blackspider.com
The User-Agent is ssbc.
ThreatScope traffic must not be subject to man-in-the-middle decryption.
ThreatScope traffic cannot be challenged for authentication by any device in the network.
Filter.config rules are configured, by default, in Content Gateway. If Content Gateway is in a proxy chain or behind a firewall, those devices may have to be configured to meet the requirements described above.
You can test your configuration to ensure that ThreatScope Analysis is properly configured in your deployment using the link ThreatScope: Malicious App found in the Real-time Analysis Test Pages section of http://testdatabasewebsense.com/
What does a ThreatScope transaction look like?
1.
An end user browses to a website and explicitly or implicitly downloads a file.
2.
The URL is not categorized as "malicious" and Security Threats: File Analysis does not find the file to be malicious.
3.
The file is delivered to the requester.
4.
However, the file fits the Websense Security Labs profile for suspicious files and is sent to ThreatScope in the cloud for analysis.
5.
ThreatScope analyzes the file, which may take as long as 5 to 10 minutes, but is typically much quicker.
6.
If the file is found to be malicious, Content Gateway sends a ThreatScope malicious file detection message to the configured alert recipient. The alert email includes links to the ThreatScope report and an investigative report created from your log records (examples below).
7.
Upon receipt of the message, administrators should:
a.
Access and evaluate the ThreatScope report for the file
b.
Examine the investigative report for the incident
c.
Assess the impact of the intrusion in their network
d.
Plan and begin remediation
8.
Separately, ThreatScope updates the ThreatSeeker® Intelligence Cloud with information about the file, the source URL, and the command and control targets.
9.
ThreatSeeker updates the Websense Master Database, ACE analytic databases, and other security components, which are then pulled by Websense deployments.
10.
The next time someone tries to browse the site, they and the organization are protected by their Websense Web Security deployment.
ThreatScope alert messages and reports
When Content Gateway learns that ThreatScope has detected a malicious file, it sends a ThreatScope alert email to the configured administrator. The message is plain text. An example is shown below.
In the body, the User field includes the user name only if Content Gateway user authentication was used to identify the client. Otherwise, the client IP address appears in the field.
Two links are included. The first links to a detailed ThreatScope report on the file and its malicious contents. The second launches an investigative report, using your log records, for the time period in which the file download occurred. Depending on your browser, you may have to enable popups to allow the report to be displayed. Also note that you may receive the ThreatScope alert message before Web Security Gateway Anywhere has written all of the transaction records in the Log Database. Periodically refresh the report to include pending records.
A typical alert message looks like:
Here is an example of a portion of a ThreatScope report:
Rich Internet application scanning
Select Scan rich Internet applications to analyze Flash files for malicious content.
FTP file scanning
Select Scan FTP files to analyze files that are downloaded with the FTP protocol. (FTP over HTTP file downloads and uploads are subject to the HTTP/HTTPS file scanning settings.) To be meaningful, this option requires that Content Gateway be configured to proxy FTP traffic. See the Content Gateway Manager Help.
 
* 
Note 
The Scan rich Internet applications and Scan FTP files options are available only when Advanced Detection is enabled. When the Advanced Detection file analysis feature is turned off, the rich Internet application scanning feature is disabled and the check box is cleared.
File Type Options
1.
To specify the types of files to analyze, click File Type Options. As a best practice, analyze all suspicious files, as identified by Websense Security Labs, and all executable and unrecognized files.
2.
To always analyze files having a specific extension, select Files with the following extensions, enter the extension in the entry field and click Add.
To remove an extension from the list, click on the extension to select it, and click Delete.
When you are done configuring file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Several presentation reports provide details about attempts to download files containing security risks. These reports are listed in the Report Catalog only after analysis activity has detected sites whose activity has changed since it was assigned a Master Database category. See Presentation reports for more information.
See Managing traffic based on file type for information about blocking files based on type and URL category.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Analysis > Scanning options > Security threats: File analysis
Copyright 2016 Forcepoint LLC. All rights reserved.