Configuring file analysis

Administrator Help | TRITON AP-WEB | Version 8.3.x

Related topics:

Configuring Content Gateway analysis

Configuring content categorization

Configuring content security

Content Gateway outbound security analysis

Content Gateway advanced analysis options

Configuring exceptions to Content Gateway analysis

Reporting on advanced real-time analysis

File analysis inspects files that users attempt to download or open remotely for viruses and other malicious content. File analysis returns a category to Filtering Service for policy enforcement.

There are 5 types of file analysis. They can be used together.

Four types of analysis are done by Content Gateway.

Advanced Detection applies techniques developed to discover known and emerging threats, including viruses, Trojan horses, worms, and other malicious content.

Antivirus Scanning uses antivirus definition files to identify virus-infected files.

Rich Internet application scanning examines Flash files for malicious content.

FTP file scanning examines inbound FTP files for malicious content.

You can configure the specific types of files to analyze by clicking File Type Options.


	Note If file analysis is configured to include multimedia files, sometimes when the streaming media is buffered and analyzed, the connection to the server times out. In such cases, the best remedy is to create an exception for that site. See Configuring exceptions to Content Gateway analysis.

Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (Configuring exceptions to Content Gateway analysis).

Use the Settings > Scanning > Scanning Options page to enable and configure file analysis.

The fifth type of file analysis is Advanced File Analysis, which sends files that fit a profile defined by Forcepoint Security Labs to a configurable destination for activation and observation. If analysis finds a file to be malicious, an email alert is sent to the configured administrator that contains a description of the threat, a link to a detailed report, and a link to an investigative report built from your Log Database.

To enable Advanced File Analysis, TRITON AP-WEB subscribers can purchase the Web Sandbox module or the Threat Protection Appliance. A full description is included in the step-by-step configuration section, below.

Advanced Detection

Select Off to disable file analysis.

Select On (default) to enable file analysis on files from uncategorized sites and files from sites with elevated risk profiles, as identified by Security Labs.

Select Aggressive analysis to analyze inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.

Antivirus Scanning

Select Off to disable antivirus analysis.

Select On (default) to enable antivirus analysis of files from uncategorized sites and files from sites with elevated risk profiles, as identified by Security Labs.

Select Aggressive analysis to apply antivirus analysis to inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option consumes additional system resources.

Rich Internet application scanning

Select Scan rich Internet applications to analyze Flash files for malicious content.

FTP file scanning

Select Scan FTP files to analyze files that are downloaded with the FTP protocol. (FTP over HTTP file downloads and uploads are subject to the HTTP/HTTPS file scanning settings.) To be meaningful, this option requires that Content Gateway be configured to proxy FTP traffic. See the Content Gateway Online Help.


	Note The Scan rich Internet applications and Scan FTP files options are available only when Advanced Detection is enabled. When the Advanced Detection file analysis feature is turned off, these options are disabled and the check boxes are cleared.

File Type Options

To specify the types of files Content Gateway is to analyze, click File Type Options. As a best practice, analyze all suspicious files, as identified by Security Labs, and all executable and unrecognized files.

To always analyze files having a specific extension, select Files with the following extensions, enter the extension in the entry field and click Add.

To remove an extension from the list, click on the extension to select it, and click Delete.

When you are done configuring file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Several presentation reports provide details about attempts to download files containing security risks. These reports are listed in the Report Catalog only after analysis activity has detected sites whose activity has changed since it was assigned a Master Database category. See Presentation reports for more information.

See Managing traffic based on file type for information about blocking files based on type and URL category.

Advanced File Analysis


	Note At least one of the four Content Gateway analysis options must be enabled for files to be sent for advanced file analysis.

Check the box next to Enable Advanced File Analysis.

Open the File analysis platform drop-down.

If you have purchased the Web Sandbox module, you can select File Sandbox.

Control the types of files sent to the File Sandbox. Check the box next to the general file types listed to keep those file types from being sent to the file sandbox. By default, none of the boxes are checked; all suspicious files are sent.

Note that analysis is performed to determine a file's true type.

When a file type is selected for "Do not submit", both the true file type and the file extension are used to determine that the file will not be sent to the file sandbox.

Caution: Electing not to send file types to the sandbox may expose the network to unknown risk. Select the file types based on proper risk assessment. Balance the privacy risks involved in sending files to the sandbox against the security risks involved in not sending them.

To not send files having a specific extension, check Files with the following extensions, enter file extensions in the input box provided, and click Add. Multiple file extensions can be added in a comma separated list.

To remove an entry from the list, highlight a file extension and click Delete .

If you have purchased a Threat Protection Appliance, you can select Threat Protection appliance from the drop-down.

By default, images and txt files are not sent to Threat Protection.

Enter the IP address of the Threat Protection Controller (prod1 [P] interface) in the Controller IP address entry field.

Click Check Status to confirm that Threat Protection is installed at that IP address. This check does not ensure connection to Content Gateway.

When you are done configuring Advance File Analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

A file that qualifies for advanced file analysis:

Is not classified as "malicious" in the Master Database.

Passes all selected Security Threats: File Analysis analytics.

Fits the Security Labs profile for suspicious files.

Is a supported file type. Executable files are always supported. See this knowledge base article for a list of supported file types.


	Note Because the file was not detected as malicious, it was not blocked and has been delivered to the requester.


	Important To receive Advanced File Analysis alerts, which is the mechanism used to send information about files found to be malicious by analysis, you must enable and configure email or SNMP alerts. Go to Settings > Alerts > Enable Alerts. Select Enable email alerts and specify an Administrator email address. Also confirm that your SMTP settings are correct. Select Enable SNMP alerts and provide information about your SNMP Trap system. Then, enable Advanced File Analysis Alerts on the Settings > Alerts > Suspicious Activity Alerts page.

Important

The Content Gateway web proxy manages on-premises File Sandboxing traffic.

Traffic is sent to:

*.websense.net

*.blackspider.com

The User-Agent is ssbc.

File Sandboxing traffic must not be subject to man-in-the-middle decryption, and cannot be challenged for authentication by any device in the network.

Filter.config rules are configured, by default, in Content Gateway. If Content Gateway is in a proxy chain or behind a firewall, those devices may have to be configured to meet the requirements described above.

You can test your configuration to ensure that File Sandboxing is properly configured in your deployment via the Real-time Analysis Test Pages section of http://testdatabasewebsense.com/

What does a advanced file analysis transaction look like?

An end user browses to a website and explicitly or implicitly downloads a file.

The URL is not categorized as "malicious" and Security Threats: File Analysis does not find the file to be malicious.

The file is delivered to the requester.

However, the file fits the Security Labs profile for suspicious files and is sent to the selected location for analysis.

The file is analyzed.

If the file is found to be malicious, a malicious file detection message to the configured alert recipient. The alert email includes links to provide additional detail and to an investigative report created from your log records (examples below).

Upon receipt of the message, administrators should:

Access and evaluate the Advanced File Analysis report. See Advanced File Analysis report for information on using that report.

Examine the investigative report for the incident.

Assess the impact of the intrusion in their network.

Plan and begin remediation.

If the File Sandbox option was selected:

File Sandboxing updates the ThreatSeeker® Intelligence Cloud with information about the file, the source URL, and the command and control targets.

ThreatSeeker updates the Master Database, ACE analytic databases, and other security components, which are then pulled by web protection deployments.

The next time someone tries to browse the site, they and the organization are protected by their TRITON AP-WEB deployment.

Advanced File Analysis alert messages and reports

When a malicious file has been detected, a plain-text alert email is sent to the configured administrator.


	Important To receive Advanced File Analysis alerts, which is the mechanism used to send information about files found to be malicious by analysis, you must enable and configure email or SNMP alerts.

In the body, the User field includes the user name only if user authentication was used to identify the client. Otherwise, the client IP address appears in the field.

Two links are included. The first links to either a detailed File Sandboxing report on the file and its malicious contents or to the Threat Protection Appliance and a detailed report. (You may first be prompted for logon credentials.) The second launches an investigative report, using your log records, for the time period in which the file download occurred. Depending on your browser, you may have to enable popups to allow the report to be displayed. Also note that you may receive the advance file analysis alert message before TRITON AP-WEB has written all of the transaction records in the Log Database. Periodically refresh the report to include pending records.


	Note If Threat Protection was installed using a hostname, the link will work only if the hostname is resolvable on the network.