Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring file analysis
Administrator Help | Forcepoint Web Security | v8.5.x
Related topics:
File analysis inspects files that users attempt to download or open remotely for viruses and other malicious content. File analysis returns a category to Filtering Service for policy enforcement.
There are 4 types of file analysis. They can be used together.
Three types of analysis are done by Content Gateway.
*
Antivirus Scanning uses antivirus definition files to identify virus-infected files.
*
Rich Internet application scanning examines Flash files for malicious content.
*
FTP file scanning examines inbound FTP files for malicious content.
You can configure the specific types of files to analyze by clicking File Type Options.
 
Note 
Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (Configuring exceptions to Content Gateway analysis).
Use the Settings > Scanning > Scanning Options page to enable and configure file analysis.
The fourth type of file analysis is Advanced File Analysis, which sends files that fit a profile defined by Forcepoint Security Labs to a configurable destination for activation and observation. If analysis finds a file to be malicious, an email alert is sent to the configured administrator that contains a description of the threat, a link to a detailed report, and a link to an investigative report built from your Log Database.
Advanced file analysis requires a Forcepoint Advanced Malware Detection solution. A full description is included in the step-by-step configuration section, below.
Antivirus Scanning
1.
Select Off to disable antivirus analysis.
2.
Select On (default) to enable antivirus analysis of files from uncategorized sites and files from sites with elevated risk profiles, as identified by Forcepoint Security Labs.
3.
Select Aggressive analysis to apply antivirus analysis to inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option is enabled by default.
Rich Internet application scanning
Select Scan rich Internet applications to analyze Flash files for malicious content.
FTP file scanning
Select Scan FTP files to analyze files that are downloaded with the FTP protocol. (FTP over HTTP file downloads and uploads are subject to the HTTP/HTTPS file scanning settings.) To be meaningful, this option requires that Content Gateway be configured to proxy FTP traffic. See the Content Gateway Manager Help.
File Type Options
1.
To specify the types of files Content Gateway is to analyze, click File Type Options. As a best practice, analyze all suspicious files, as identified by Forcepoint Security Labs, and all executable and unrecognized files.
2.
To always analyze files having a specific extension, select Files with the following extensions, enter the extension in the entry field and click Add.
To remove an extension from the list, click on the extension to select it, and click Delete.
When you are done configuring file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Several presentation reports provide details about attempts to download files containing security risks. These reports are listed in the Report Catalog only after analysis activity has detected sites whose activity has changed since it was assigned a Master Database category. See Presentation reports for more information.
See Managing traffic based on file type for information about blocking files based on type and URL category.
Advanced File Analysis
 
Note 
1.
Check the box next to Enable Advanced File Analysis.
2.
Open the Advanced File Analysis platform drop-down.
3.
a.
Note that analysis is performed to determine a file's true type.
When a file type is selected for "Do not submit", both the true file type and the file extension are used to determine that the file will not be sent to the cloud.
Caution: Electing not to send file types to the service may expose the network to unknown risk. Select the file types based on proper risk assessment. Balance the privacy risks involved in sending files to the service against the security risks involved in not sending them.
b.
To not send files having a specific extension, check Files with the following extensions, enter file extensions in the input box provided, and click Add. Multiple file extensions can be added in a comma separated list.
To remove an entry from the list, highlight a file extension and click Delete .
4.
By default, images and txt files are not sent to the appliance.
a.
b.
Click Check Status to confirm that the appliance is installed at that IP address. This check does not ensure connection to Content Gateway.
5.
When you are done configuring advance file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
A file that qualifies for advanced file analysis:
*
Is not classified as "malicious" in the Master Database.
*
Passes all selected Security Threats: File Analysis analytics.
*
*
 
Note 
Because the file was not detected as malicious, it was not blocked and has been delivered to the requester.
Important 
1.
Go to Settings > Alerts > Enable Alerts.
2.
Select Enable email alerts and specify an Administrator email address.
4.
Select Enable SNMP alerts and provide information about your SNMP Trap system.
5.
Enable Advanced File Analysis Alerts on the Settings > Alerts > Suspicious Activity Alerts page.
Important 
Filter.config rules are configured, by default, in Content Gateway. If Content Gateway is in a proxy chain or behind a firewall, those devices may have to be configured to meet the requirements described above.
To verify that Forcepoint Advanced Malware Detection for Web is properly configured, use the Real-time Analysis Test Pages section of the following website:
http://testdatabasewebsense.com/
What does an advanced file analysis transaction look like?
1.
2.
The URL is not categorized as "malicious" and Security Threats: File Analysis does not find the file to be malicious.
3.
4.
5.
6.
7.
a.
b.
c.
d.
8.
a.
b.
c.
Advanced file analysis alert messages and reports
When a malicious file has been detected, a plain-text alert email is sent to the configured administrator.
 
Important 
In the body, the User field includes the user name only if user authentication was used to identify the client. Otherwise, the client IP address appears in the field.
Two links are included.
*
 
Note 
*
*
*

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2018 Forcepoint. All rights reserved.