Configuring file analysis

Administrator Help | Forcepoint Web Security | v8.5.x

Related topics:

Configuring Content Gateway analysis

Configuring content categorization

Configuring content security

Content Gateway outbound security analysis

Content Gateway advanced analysis options

Configuring exceptions to Content Gateway analysis

Reporting on advanced real-time analysis

File analysis inspects files that users attempt to download or open remotely for viruses and other malicious content. File analysis returns a category to Filtering Service for policy enforcement.

There are 4 types of file analysis. They can be used together.

Three types of analysis are done by Content Gateway.

Antivirus Scanning uses antivirus definition files to identify virus-infected files.

Rich Internet application scanning examines Flash files for malicious content.

FTP file scanning examines inbound FTP files for malicious content.

You can configure the specific types of files to analyze by clicking File Type Options.


	Note If file analysis is configured to include multimedia files, sometimes when the streaming media is buffered and analyzed, the connection to the server times out. In such cases, the best remedy is to create an exception for that site. See Configuring exceptions to Content Gateway analysis.

Use the Settings > Scanning > Scanning Exceptions page to specify untrusted or trusted sites that are always analyzed or never analyzed (Configuring exceptions to Content Gateway analysis).

Use the Settings > Scanning > Scanning Options page to enable and configure file analysis.

The fourth type of file analysis is Advanced File Analysis, which sends files that fit a profile defined by Forcepoint Security Labs to a configurable destination for activation and observation. If analysis finds a file to be malicious, an email alert is sent to the configured administrator that contains a description of the threat, a link to a detailed report, and a link to an investigative report built from your Log Database.

Advanced file analysis requires a Forcepoint Advanced Malware Detection solution. A full description is included in the step-by-step configuration section, below.

Antivirus Scanning

Select Off to disable antivirus analysis.

Select On (default) to enable antivirus analysis of files from uncategorized sites and files from sites with elevated risk profiles, as identified by Forcepoint Security Labs.

Select Aggressive analysis to apply antivirus analysis to inbound files from sites with elevated risk profiles and from sites with lower risk profiles. This option is enabled by default.

Rich Internet application scanning

Select Scan rich Internet applications to analyze Flash files for malicious content.

FTP file scanning

Select Scan FTP files to analyze files that are downloaded with the FTP protocol. (FTP over HTTP file downloads and uploads are subject to the HTTP/HTTPS file scanning settings.) To be meaningful, this option requires that Content Gateway be configured to proxy FTP traffic. See the Content Gateway Manager Help.

File Type Options

To specify the types of files Content Gateway is to analyze, click File Type Options. As a best practice, analyze all suspicious files, as identified by Forcepoint Security Labs, and all executable and unrecognized files.

To always analyze files having a specific extension, select Files with the following extensions, enter the extension in the entry field and click Add.

To remove an extension from the list, click on the extension to select it, and click Delete.

When you are done configuring file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

Several presentation reports provide details about attempts to download files containing security risks. These reports are listed in the Report Catalog only after analysis activity has detected sites whose activity has changed since it was assigned a Forcepoint URL Database category. See Presentation reports for more information.

See Managing traffic based on file type for information about blocking files based on type and URL category.

Advanced File Analysis


	Note At least one of the Content Gateway analysis options must be enabled for files to be sent for advanced file analysis.

Check the box next to Enable Advanced File Analysis.

Open the Advanced File Analysis platform drop-down.

If you have purchased Forcepoint Advanced Malware Detection for Web, you can select Cloud Service.

Control the types of files sent to the cloud-based service. Check the box next to the general file types listed to keep those file types from being sent to the file sandbox. By default, none of the boxes are checked; all suspicious files are sent.

Note that analysis is performed to determine a file's true type.

When a file type is selected for "Do not submit", both the true file type and the file extension are used to determine that the file will not be sent to the cloud.

Caution: Electing not to send file types to the service may expose the network to unknown risk. Select the file types based on proper risk assessment. Balance the privacy risks involved in sending files to the service against the security risks involved in not sending them.

To not send files having a specific extension, check Files with the following extensions, enter file extensions in the input box provided, and click Add. Multiple file extensions can be added in a comma separated list.

To remove an entry from the list, highlight a file extension and click Delete .


	Note With the Hybrid Module, the File Sandboxing option available with Forcepoint Web Security Cloud is enabled if Advanced File Analysis is enabled and Cloud Service is selected.

If you have purchased Forcepoint Advanced Malware Detection, you can select On Premises from the drop-down.

By default, images and txt files are not sent to the appliance.

Enter the IP address of the Controller (prod1 [P] interface) in the Controller IP address entry field.

Click Check Status to confirm that the appliance is installed at that IP address. This check does not ensure connection to Content Gateway.

When you are done configuring advance file analysis options, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.

A file that qualifies for advanced file analysis:

Is not classified as "malicious" in the Forcepoint URL Database.

Passes all selected Security Threats: File Analysis analytics.

Fits the Forcepoint Security Labs profile for suspicious files.

Is a supported file type. Executable files are always supported. See this knowledge base article for a list of supported file types.


	Note Because the file was not detected as malicious, it was not blocked and has been delivered to the requester.

Important

To receive advanced file analysis alerts, which is the mechanism used to send information about files found to be malicious by analysis, you must enable and configure email or SNMP alerts.

Go to Settings > Alerts > Enable Alerts.

Select Enable email alerts and specify an Administrator email address.

Confirm that your SMTP settings are correct.

Select Enable SNMP alerts and provide information about your SNMP Trap system.

Enable Advanced File Analysis Alerts on the Settings > Alerts > Suspicious Activity Alerts page.

Important

The Content Gateway web proxy manages traffic sent to Forcepoint Advanced Malware Detection for Web.

Traffic is sent to:

*.websense.net

*.blackspider.com

The User-Agent is ssbc.

Traffic sent to the cloud-based service must not be subject to man-in-the-middle decryption, and cannot be challenged for authentication by any device in the network.

Filter.config rules are configured, by default, in Content Gateway. If Content Gateway is in a proxy chain or behind a firewall, those devices may have to be configured to meet the requirements described above.

To verify that Forcepoint Advanced Malware Detection for Web is properly configured, use the Real-time Analysis Test Pages section of the following website:

http://testdatabasewebsense.com/

What does an advanced file analysis transaction look like?

An end user browses to a website and explicitly or implicitly downloads a file.

The URL is not categorized as "malicious" and Security Threats: File Analysis does not find the file to be malicious.

The file is delivered to the requester.

However, the file fits the Forcepoint Security Labs profile for suspicious files and is sent to the selected location for analysis.

The file is analyzed.

If the file is found to be malicious, a malicious file detection message is sent to the configured alert recipient. The alert email includes links to provide additional detail and to an investigative report created from your log records (examples below).

Upon receipt of the message, administrators should:

Access and evaluate the Advanced File Analysis report. See Advanced File Analysis report for information about using that report.

Examine the investigative report for the incident.

Assess the impact of the intrusion in their network.

Plan and begin remediation.

If the File Sandbox option was selected:

Forcepoint Advanced Malware Detection for Web updates Forcepoint ThreatSeeker Intelligence with information about the file, the source URL, and the command and control targets.

Forcepoint ThreatSeeker Intelligence updates the Forcepoint URL Database, ACE analytic databases, and other security components, which are then pulled by web protection deployments.

The next time someone tries to browse the site, they and the organization are protected by their Forcepoint Web Security deployment.

Advanced file analysis alert messages and reports

When a malicious file has been detected, a plain-text alert email is sent to the configured administrator.


	Important To receive alerts about files found to be malicious by advanced file analysis, you must enable and configure email or SNMP alerts.

In the body, the User field includes the user name only if user authentication was used to identify the client. Otherwise, the client IP address appears in the field.

Two links are included.

The first links to either a detailed report on the file and its malicious contents, either in the cloud or on the appliance. (You may first be prompted for logon credentials.)


	Note If the Forcepoint Advanced Malware Detection was installed using a hostname, the link will work only if the hostname is resolvable on the network.

The second launches an investigative report, using your log records, for the time period in which the file download occurred.

Depending on your browser, you may have to enable popups to allow the report to be displayed.

You may receive the advance file analysis alert message before Forcepoint Web Security has written all of the transaction records in the Log Database. Periodically refresh the report to include pending records.