After you enable inline payload analysis in a policy, you can select how SIA proxy scans these types of files:

Small. Files that are less than 5 MB in size.
Large. Files that are 5 MB to 2 GB in size.
Huge. Files that are more than 2 GB in size.

In a policy, you select the action that's associated with large and huge file types. By default, with inline payload analysis, small files (files that are less than 5 MB) are always scanned inline or before the file is downloaded.

File Type	Action	Description
Small	Inline scanning	Scans files or website content before end users see downloaded content. This action is available for small files (files that do not exceed 5 MB). For more information, see Inline payload analysis.
Large	Block - Error Page	Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page to indicate that the operation is not allowed.
Large	Allow and Scan	Scans large files up to 2 GB with static malware analysis. This action: Allows the end user to download the file. The file is then scanned within a four hour time period. If the file is malicious, a threat event is reported. By default, this action is enabled for large files. For more information, see Static malware analysis of large files. With the Allow and Scan action, you can enable dynamic analysis to scan files that are 5 MB to 100 MB in size within an isolated, sandbox environment. For more information, see Dynamic malware analysis. To scan large files, your organization needs to be licensed for Advanced Sandbox.
Large	Bypass	Allows the end user to download the file. No file scanning occurs.
Huge	Block - Error Page	Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page. By default, this action is enabled for huge files. Note: Some web servers use HTTP streaming without providing file size when the download begins. In this case, SIA starts the download process, but it cancels and blocks the download of a huge file in the middle of the process based on this policy action. No error page is shown in this situation.
Huge	Allow	Allows end users to download the file. No file scanning occurs.

Inline payload analysis

Organizations that are licensed for SIA Advanced Threat can enable inline payload analysis to scan content on websites. For example, this feature allows SIA to scan a file like a PDF or an image.

If the proxy is enabled, you can enable inline payload analysis in a policy.

When inline payload analysis is enabled, malware scanning is performed on responses from the origin server. The HTTP and HTTPS payload from risky domains or files in a file sharing application are scanned. This feature allows the proxy to scan files that are up to 5 MB in size.

Note these points:

Inline payload analysis is applied to traffic sent through SIA Proxy.
With the selective proxy, only risky domains are sent to the proxy. With the full web proxy, all traffic is sent to the proxy.

When you enable inline payload analysis in a policy, you can also define how SIA handles files that exceed 5 MB. You can configure SIA to scan large files that are 5 MB to 2 GB in size after they are downloaded. For more information, see Static malware analysis of large files. If you further enable dynamic analysis, you can scan files that are 5 MB to 100 MB in an isolated sandbox environment where files are opened, executed, and observed for harmful activity. For more information, see Dynamic malware analysis.

If the payload analysis detects a threat, the response is blocked or monitored based on the action that's assigned to the malware threat category.

When you enable inline payload analysis:

You can also choose to block or allow files that cannot be scanned by SIA Proxy. Unscannable files are files that are encrypted or compressed. By default, this setting is disabled and these files are allowed in your enterprise.
SIA also analyzes websites for zero-day phishing threats. With this feature, SIA can detect webpages that were created with phishing toolkits. For more information, see Zero-day phishing detection.

You can also use inline payload analysis for DLP. With DLP, you can scan data that's uploaded by users and is up to 5 MB in size. DLP scans this data for sensitive information. For more information, see Data loss prevention.

Static malware analysis of large files

While inline payload analysis allows SIA Proxy to scan files or website content that's up to 5 MB in size, SIA Proxy cannot scan files that exceed 5 MB inline or before it's downloaded to the user's browser. In SIA, you define how larger files are handled. You can allow or block the download of these larger files. If these files range from 5 MB to 2 GB in size, you can configure SIA Proxy to scan these files out of band or after they are downloaded to the browser.

Static malware analysis of large files scans files offline or after they are downloaded by the end user. Static malware analysis scans the code without running or executing it. This feature is enabled when you select the Allow and Scan action for large files. These files are scanned with the same static analysis engines as small files.

If you want to analyze content when it's executed in a secure, sandbox environment with dynamic scanners, see Dynamic malware analysis. If files scanned with static malware analysis are considered suspicious and dynamic analysis is also enabled in the policy, these files are automatically analyzed in the sandbox environment with dynamic analysis.

Files are scanned within a four hour period after download. If SIA Proxy detects malware, a threat event is reported in SIA.

Because the scan occurs after the file is downloaded, the malicious file is not blocked. As a result, you may need to run an anti-virus scan on the machine where the file was downloaded or configure your organization's security information and event management (SIEM) solution to scan the machine for malware.

📘
To enable or use this feature, your organization needs to be licensed for Advanced Sandbox.

Dynamic malware analysis

If your enterprise is licensed for the Sandbox module and you selected the Allow and Scan action for large files, you can enable dynamic malware analysis. This feature scans files in a secure sandbox environment that's isolated from your network. Files are automatically scanned offline or after the file is downloaded.

📘
Currently, dynamic analysis scans files or content that range from 5 MB to 100 MB in size.

Unlike static malware analysis that scans file contents, dynamic malware analysis opens and executes the files in an isolated sandbox environment and observes whether harmful actions are detected. Sandbox thoroughly analyzes these files using a number of reverse engineering techniques to test how the files behave.

The sandbox environment:

Scans files offline (after the file is downloaded).
Uses advanced detection technology to analyze files and circumvent malware evasion techniques.
Executes or launches suspicious code within the controlled sandbox environment and observes its behavior.
Generates a report. Any malicious code and URLs are detailed in a deep scan report that's available for download in SIA reporting.
Data from analysis is used to identify malware in real time. This data can be used to identify malware with the same or similar code. For example, dynamic malware analysis can potentially identify zero-day phishing threats.

📘
This feature is available to organizations that are licensed for the Advanced Sandbox module.

If you enable dynamic malware analysis to scan files in a sandbox environment, it also scans files as part of inline payload analysis. Files that are scanned with static malware analysis and are considered suspicious are also scanned within the sandbox environment when the dynamic analysis feature is enabled.

If a threat is detected in the sandbox environment, a deep scan report with test and scan results is available with the associated threat event. You can download the report in PDF format. For more information, see Deep scan report for dynamic malware analysis.

📘
If scanned content uses a one-time token or a one-time URL, the token or URL may expire, or it may be used in the sandbox environment. As a result, a user's experience is interrupted when they attempt to access this content. To resolve this issue, the end user can initiate the request or download again. An SIA administrator can also add the domains for these requests to an exception list.

Deep scan report

If Dynamic Analysis is enabled and a threat was detected for a file that is 5 MB to 100 MB, a deep scan report in PDF format is available for download in SIA. You can download the report from the associated threat event. The report is available for download for 30 days.

The deep scan report details the results of scans completed in the sandbox environment. Depending on the type of content that's analyzed and the scan results, the report may contain this data.

Report Section	Field	Definition
Summary	Analysis duration	Amount of time in seconds for the analysis.
Summary	Detonation date	The date and time the analysis was started in UTC format.
Summary	File executed as	Indicates the type of file that was scanned.
Summary	File magic	File type information.
Summary	SHA1	SHA-1 hash of the analyzed file or content.
Summary	SHA256	SHA-256 hash of the extracted file.
Summary	Sandbox version	Version number of Sandbox.
Summary	File Type	The type of file that was scanned.
Summary	Submissions date	Timestamp when dynamic malware analysis was triggered by a file. The timestamp is in UTC format.
Summary	Status	Status of the scan.
Summary	Score	The score of the file that indicates whether it’s malicious or not. 0 indicates the file is malicious. 100 indicates the file is not malicious.
Mitre Attack Matrix		Lists the attack techniques that were observed in the sandbox scan.
Processes		List of processes that were started during the analysis. The information in this section may include: Start Time. Date and time the process was started in UTC format. Process. Path of the started process. Parent Process. Path of the parent process. Command Line. Command line that was used to start the process. This value can be a maximum of 512 characters. The command line may be truncated if it’s over this limit.
Files Activity	Files Written	Indicates that separate files were created during the analysis of the content or file. Data about the written files are provided. This data includes: File Path. File path of the created file or files. Process. Path of the process.
Files Activity	Files Deleted	Lists the files that were deleted during the analysis. This data includes the file path of the deleted files.
Registry	Added Registry	Lists the registry data that was added during the analysis. These values are included in the report: Key. Registry key that was added. Value. The registry key value that was added. Data. The registry data that was added Timestamp. The date and time the key was added to the registry in UTC format. Process. Path of the process that was used to add the key to the registry.
Registry	Delete Registry	Lists the registry data that was deleted during the analysis. These values are included in the report: Key. Registry key that was deleted. Timestamp. The data and time the key was deleted from the registry in UTC format. Process. Path of the process that was used to delete the registry key.
Network Activity	Connections	Lists the network connections that were detected during the analysis. For connections that were attempted, these fields are included: IP address. IP address of the remote machine. Port. Port of the remote machine. Protocol. Protocol used for the connection. Hostname. Hostname of the remote machine. Process. If known, this is the path to the process that establishes the connection.
Network Activity	HTTP Flow	Lists the HTTP requests that were detected during the analysis in the sandbox environment.This data is listed in a table: URI. URL that is requested. HTTP Method. Shows the method that was used for traffic. HTTP User Agent. Shows the user-agent string in the request. IP Address. IP address of the remote server. Process. If known, this is the path to the process that establishes the connection.
Network Activity	DNS Request	Lists the DNS requests that were detected during the analysis in the sandbox environment. These fields are listed: IP Address. IP address in the response. Domain. Hostname that was requested.
Malicious Activity	Suspicious	If a medium to highly severe signature is fired during the analysis, this field describes the activity.
Malicious Activity	Signature	Information about the signature.
Malicious Detections		Indicates how malicious activity was classified. The values in the table of the report include: Classification. The category or name provided for threat mitigation. Classification Type: The type of classification that was given to the activity. Found in. The path, file name, application name, URL, or IP address where the malicious activity is found. Artifact Type. The type of artifact. For example, this can be a file, URL, process, or IP address. Threat Name: Name of the threat.
Activity Tree		Lists all the activities that emerged or were spawned in the sandbox environment. This includes all processes, written files, and connections that were established. Activities are shown in a tree report.
Screenshots		List of screenshots that were taken during the analysis in the sandbox environment. A maximum of 10 screenshots are shown.