Web Content & Security tab

Related topics:

Advanced Classification Engine (ACE) analysis overview

Configuring ACE analysis settings

Configuring file analysis

Analysis exceptions

Use the Web Content & Security tab of the Web > Policies page for a selected policy to configure advanced analysis options, including exceptions. This tab is available for Forcepoint Web Security Cloud only.

Advanced Classification Engine (ACE) analysis overview

ACE advanced analysis includes:

Real-Time Content Classification returns a category for URLs that have not already been blocked by the active policy, and:

Are not in the Forcepoint URL Database, or

Are classified as a dynamic site

Content classification adapts to rapidly-changing web content, including user-generated content, such as that found on social-networking sites.

Optionally, you can select Analyze links embedded in Web content as part of content classification to provide more accurate categorization of certain types of content. For example, a page that otherwise has little or no undesirable content, but that links to sites known to have undesirable content, can be more accurately categorized. Link analysis is particularly good at finding malicious links embedded in hidden parts of a page, and in detecting pages returned by image servers that link thumbnails to undesirable sites.

Real-Time Security Classification analyzes web pages in real time to discover security threats and malicious code in HTTP. You can enable advanced analysis for one of the following:

Sites with elevated risk profiles, as identified by Security Labs

Sites with elevated risk profiles and sites with lower risk profiles. Note that analyzing all inbound content is resource intensive and may result in slower web performance.


	Note For an I Series appliance deployment, when performance optimization is selected the cloud service analyzes only sites with elevated risk profiles.

You must enable Real-Time Security Classification to use the options on the Application Controls tab. See Application Control tab.

Antivirus File Analysis - Inbound analyzes files using traditional antivirus (AV) definitions to find virus-infected files that users are attempting to download.

Advanced Detection File Analysis - Inbound analyzes files using advanced detection techniques to discover malicious content, such as viruses, Trojan horses, and worms, returning a threat category for policy enforcement.

You can configure the specific types of files to analyze under File Type Analysis Options. Note that executable file analysis is configured separately (see Configuring file analysis).


	Note If file analysis is configured to include multimedia files, when the streaming media is buffered and analyzed, the connection to the server may time out. In such cases, the best remedy is to create an analysis exception for that site. See Analysis exceptions.

Rich Internet Application Analysis is applied to active content like Flash and Silverlight to detect and block malicious content.

There are also two ACE outbound traffic analysis options that are enabled by default and cannot be turned off. This ensures that viruses and other malicious content cannot be sent from your network.

Antivirus and Advanced Detection File Analysis - Outbound parallels the inbound file analysis applied by the Antivirus File Analysis and Advanced Detection File Analysis.

Bot and Spyware "phone home" Traffic Analysis detects phone-home communication attempts from malware in your network and ensures that they are categorized and blocked.

The cloud service must analyze and block outbound malicious traffic in order to protect itself from being perceived as a malicious actor. Some origin servers blocklist client IP addresses if they detect malicious communications or hack attempts. If malicious communications were permitted to go through cloud proxies, the proxies would be in blocklist. This could mean that a single infected client could cause all clients browsing via the same cluster to be in blocklist.

This traffic is also logged, so you can run a report to obtain a list of the infected computers in your network.

Configuring ACE analysis settings

On the Web Content & Security tab for the selected policy:

To enable content security, select Real-Time Content Classification.

Select Analyze links embedded in Web content to include embedded link analysis in content categorization. Requests that are blocked as a result of link analysis are logged and can be viewed in Analysis Activity reports.

To enable security analysis, select Real-Time Security Classification.

Select Analyze content from sites with elevated risk profiles to enable file analysis on files from uncategorized sites and files from sites with elevated risk profiles, as identified by Security Labs.

Select Analyze content from sites with elevated risk profiles and from sites with lower risk profiles to analyze inbound files. This option is resource intensive.

Select Antivirus File Analysis - Inbound to enable file analysis with antivirus definitions.

Select Analyze content from sites with elevated risk profiles and from sites with lower risk profiles to analyze inbound files. This option is resource intensive.

Select Advanced Detection File Analysis - Inbound to enable advanced detection file analysis.

Select Analyze content from sites with elevated risk profiles and from sites with lower risk profiles to analyze inbound files. This option is resource intensive.


	Note For an I Series appliance deployment, when performance optimization is selected, the cloud service analyzes only sites with elevated risk profiles.

Select Rich Internet Application analysis to analyze Flash, Silverlight, and similar files for malicious content.

Click Save.

To manage which file types are analyzed, continue with Configuring file analysis.

To configure exceptions to advanced analysis, see Analysis exceptions.