Configure payload analysis

Before you begin

To set up ETP Proxy, you need to create and distribute a certificate to devices and TLS clients in your network. For more information, see ETP Proxy MITM certificate.

If you enable inline payload analysis, you can configure how ‚ÄčEnterprise Threat Protector‚Äč analyzes files and content on websites.

To enable dynamic or static malware analysis for large files, you need to be licensed for the Advanced Sandbox module.

For more information about payload analysis, see Payload analysis.

To configure payload analysis:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description field.

    3. In the Policy Type menu, select DNS + Proxy.

    4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    5. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying an existing policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Settings area, for the Policy Type, make sure DNS + Proxy is selected.

  6. If you enabled the proxy and your organization is licensed for Advanced Threat, toggle Enable Inline Payload Analysis to on.

  7. If your organization is enabled for Advanced Sandbox, complete these steps:

    1. For downloads that range from 5 MB to 2 GB in size (large files), select an action. You can select the Block - Error Page, Bypass, or the Allow and Scan action. For more information, see Static malware analysis of large files.

    2. If you selected Allow and Scan action for large files, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.

  8. For files that are greater than 2 GB (huge files), select an action. You can select either the Block - Error Page or the Allow action. For more information, see Payload analysis.

  9. In the Threat tab, select policy actions for threat categories. For more information on policy actions, see Policy actions.

  10. To add a list to the policy, see Add a Block list to a policy.

  11. To configure access control settings, see Configure access control.

  12. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

Enable static malware analysis of large files

Before you begin

To set up ETP Proxy, you need to create and distribute a certificate to devices and TLS clients in your network. For more information, see ETP Proxy MITM certificate.

Complete this procedure to scan large files or files that are 5 MB to 2 GB in size after they are downloaded. These files are scanned while they are in a static or inactive state.

ūüďė

To enable or use this feature, your organization needs to be licensed for Advanced Sandbox.

To enable static malware analysis of large files:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description field.

    3. In the Policy Type menu, select DNS + Proxy.

    4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    5. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Type menu, make sure DNS + Proxy is selected.

  6. In the Payload Analysis section, toggle Enable Inline Payload Analysis to on.

  7. For downloads that range from 5 MB to 2 GB in size (large files), select the Allow and Scan to enable static malware analysis. For more information, see Static malware analysis of large files.

  8. In the Threat tab, select policy actions for threat categories. For more information on policy actions, see Policy actions.

  9. To add a list to the policy, see Add a Block list to a policy.

  10. To configure access control settings, see Configure access control.

  11. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

Enable dynamic malware analysis

Before you begin

To set up ETP Proxy, you need to create and distribute a certificate to devices and TLS clients in your network. For more information, see ETP Proxy MITM certificate.

Complete this procedure to enable dynamic malware analysis. Dynamic malware analysis scans files that are 5 MB to 100 MB in size in a secure sandbox environment.

To enable this feature, your organization needs to be licensed for the Advanced Sandbox module. For more information, contact your ‚ÄčAkamai‚Äč representative.

To enable dynamic malware analysis:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description field.

    3. In the Policy Type menu, select DNS + Proxy.

    4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    5. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Type menu, make sure DNS + Proxy is selected.

  6. If you enabled the proxy, in the Payload Analysis section, toggle Enable Inline Payload Analysis to on. If your organization is licensed for Advanced Sandbox, complete these steps to define how large, risky files are handled:

  7. For downloads that range from 5 MB to 2 GB in size (large files), select the Allow and Scan action.

  8. Toggle Dynamic Analysis to on.

  9. In the Threat tab, select policy actions for threat categories. For more information on policy actions, see Policy actions.

  10. To add a list to the policy, see Add a Block list to a policy.

  11. To configure access control settings, see Configure access control.

  12. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ETP network. For instructions, see Deploy configuration changes.

View events with deep scan report results

Use this procedure to show events that contain a deep scan report for dynamic malware analysis.

To view events with deep scan report results:

  1. In the Threat Protection menu of Enterprise Center, select Threat Analytics > Events > Threat Events.

  2. Filter data based on date and time. For more information, see Filter data based on date and time.

  3. To configure and apply a data filter, see Configure and apply a filter.

  4. Select a dimension or event criteria to define what event data is shown.

  5. Expand a group of events. For example, if you select the domain dimension, expand a domain group to show all the events that are associated with that specific domain.

  6. Click the Deep Scan Report column to sort results and show the events that contain a deep scan report at the top of the event list. Events with a deep scan report show a Download link to the report.

  7. To view specific details associated with an event, click the information icon.

Next steps

Download a deep scan report

Download a deep scan report

If you or an ETP administrator choose the Allow and Scan policy action for large files and enable dynamic analysis, you can download a deep scan report from the associated event in the Threat Events report. A deep scan report shows scan results and indicates what part of the scanned file appears to be malicious.

The deep scan report is in PDF format.

To download a deep scan report:

  1. View events with deep scan report results.

  2. To download the report from the events table, in the Deep scan report events column, click Download > Download Deep Scan Report.

  3. To download the report from the threat event details window:

    1. Click the information icon associated with the event.

    2. In the Event Details, look for the Deep Scan Report detection field.

    3. Click Download > Download Deep Scan Report.


Did this page help you?