After you enable inline payload analysis in a policy, you can select how SIA proxy scans these types of files:
Small. Files that are less than 5 MB in size.
Large. Files that are 5 MB to 2 GB in size.
Huge. Files that are more than 2 GB in size.
In a policy, you select the action that's associated with large and huge file types. By default, with inline payload analysis, small files (files that are less than 5 MB) are always scanned inline or before the file is downloaded.
|Small||Inline scanning||Scans files or website content before end users see downloaded content. This action is available for small files (files that do not exceed 5 MB).|
For more information, see Inline payload analysis.
|Large||Block - Error Page||Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page to indicate that the operation is not allowed.|
|Large||Allow and Scan||Scans large files up to 2 GB with static malware analysis. This action:|
With the Allow and Scan action, you can enable dynamic analysis to scan files that are 5 MB to 100 MB in size within an isolated, sandbox environment. For more information, see Dynamic malware analysis.
To scan large files, your organization needs to be licensed for Advanced Sandbox.
|Large||Bypass||Allows the end user to download the file. No file scanning occurs.|
|Huge||Block - Error Page||Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page.|
By default, this action is enabled for huge files.
Note: Some web servers use HTTP streaming without providing file size when the download begins. In this case, SIA starts the download process, but it cancels and blocks the download of a huge file in the middle of the process based on this policy action. No error page is shown in this situation.
|Huge||Allow||Allows end users to download the file. No file scanning occurs.|
Inline payload analysis
Organizations that are licensed for SIA Advanced Threat can enable inline payload analysis to scan content on websites. For example, this feature allows SIA to scan a file like a PDF or an image.
If the proxy is enabled, you can enable inline payload analysis in a policy.
When inline payload analysis is enabled, malware scanning is performed on responses from the origin server. The HTTP and HTTPS payload from risky domains or files in a file sharing application are scanned. This feature allows the proxy to scan files that are up to 5 MB in size.
Note these points:
Inline payload analysis is applied to traffic sent through SIA Proxy.
With the selective proxy, only risky domains are sent to the proxy. With the full web proxy, all traffic is sent to the proxy.
When you enable inline payload analysis in a policy, you can also define how SIA handles files that exceed 5 MB. You can configure SIA to scan large files that are 5 MB to 2 GB in size after they are downloaded. For more information, see Static malware analysis of large files. If you further enable dynamic analysis, you can scan files that are 5 MB to 100 MB in an isolated sandbox environment where files are opened, executed, and observed for harmful activity. For more information, see Dynamic malware analysis.
If the payload analysis detects a threat, the response is blocked or monitored based on the action that's assigned to the malware threat category.
When you enable inline payload analysis:
You can also choose to block or allow files that cannot be scanned by SIA Proxy. Unscannable files are files that are encrypted or compressed. By default, this setting is disabled and these files are allowed in your enterprise.
SIA also analyzes websites for zero-day phishing threats. With this feature, SIA can detect webpages that were created with phishing toolkits. For more information, see Zero-day phishing detection.
You can also use inline payload analysis for DLP. With DLP, you can scan data that's uploaded by users and is up to 5 MB in size. DLP scans this data for sensitive information. For more information, see Data loss prevention.
Static malware analysis of large files
While inline payload analysis allows SIA Proxy to scan files or website content that's up to 5 MB in size, SIA Proxy cannot scan files that exceed 5 MB inline or before it's downloaded to the user's browser. In SIA, you define how larger files are handled. You can allow or block the download of these larger files. If these files range from 5 MB to 2 GB in size, you can configure SIA Proxy to scan these files out of band or after they are downloaded to the browser.
Static malware analysis of large files scans files offline or after they are downloaded by the end user. Static malware analysis scans the code without running or executing it. This feature is enabled when you select the Allow and Scan action for large files. These files are scanned with the same static analysis engines as small files.
If you want to analyze content when it's executed in a secure, sandbox environment with dynamic scanners, see Dynamic malware analysis. If files scanned with static malware analysis are considered suspicious and dynamic analysis is also enabled in the policy, these files are automatically analyzed in the sandbox environment with dynamic analysis.
Files are scanned within a four hour period after download. If SIA Proxy detects malware, a threat event is reported in SIA.
Because the scan occurs after the file is downloaded, the malicious file is not blocked. As a result, you may need to run an anti-virus scan on the machine where the file was downloaded or configure your organization's security information and event management (SIEM) solution to scan the machine for malware.
To enable or use this feature, your organization needs to be licensed for Advanced Sandbox.
Dynamic malware analysis
If your enterprise is licensed for the Sandbox module and you selected the Allow and Scan action for large files, you can enable dynamic malware analysis. This feature scans files in a secure sandbox environment that's isolated from your network. Files are automatically scanned offline or after the file is downloaded.
Currently, dynamic analysis scans files or content that range from 5 MB to 100 MB in size.
Unlike static malware analysis that scans file contents, dynamic malware analysis opens and executes the files in an isolated sandbox environment and observes whether harmful actions are detected. Sandbox thoroughly analyzes these files using a number of reverse engineering techniques to test how the files behave.
The sandbox environment:
Scans files offline (after the file is downloaded).
Uses advanced detection technology to analyze files and circumvent malware evasion techniques.
Executes or launches suspicious code within the controlled sandbox environment and observes its behavior.
Generates a report. Any malicious code and URLs are detailed in a deep scan report that's available for download in SIA reporting.
Data from analysis is used to identify malware in real time. This data can be used to identify malware with the same or similar code. For example, dynamic malware analysis can potentially identify zero-day phishing threats.
This feature is available to organizations that are licensed for the Advanced Sandbox module.
If you enable dynamic malware analysis to scan files in a sandbox environment, it also scans files as part of inline payload analysis. Files that are scanned with static malware analysis and are considered suspicious are also scanned within the sandbox environment when the dynamic analysis feature is enabled.
If a threat is detected in the sandbox environment, a deep scan report with test and scan results is available with the associated threat event. You can download the report in PDF format. For more information, see Deep scan report for dynamic malware analysis.
If scanned content uses a one-time token or a one-time URL, the token or URL may expire, or it may be used in the sandbox environment. As a result, a user's experience is interrupted when they attempt to access this content. To resolve this issue, the end user can initiate the request or download again. An SIA administrator can also add the domains for these requests to an exception list.
Deep scan report
If Dynamic Analysis is enabled and a threat was detected for a file that is 5 MB to 100 MB, a deep scan report in PDF format is available for download in SIA. You can download the report from the associated threat event. The report is available for download for 30 days.
The deep scan report details the results of scans completed in the sandbox environment. Depending on the type of content that's analyzed and the scan results, the report may contain this data.
|Summary||Analysis duration||Amount of time in seconds for the analysis.|
|Summary||Detonation date||The date and time the analysis was started in UTC format.|
|Summary||File executed as||Indicates the type of file that was scanned.|
|Summary||File magic||File type information.|
|Summary||SHA1||SHA-1 hash of the analyzed file or content.|
|Summary||SHA256||SHA-256 hash of the extracted file.|
|Summary||Sandbox version||Version number of Sandbox.|
|Summary||File Type||The type of file that was scanned.|
|Summary||Submissions date||Timestamp when dynamic malware analysis was triggered by a file. The timestamp is in UTC format.|
|Summary||Status||Status of the scan.|
|Summary||Score||The score of the file that indicates whether it’s malicious or not.|
|Mitre Attack Matrix||Lists the attack techniques that were observed in the sandbox scan.|
|Processes||List of processes that were started during the analysis. The information in this section may include: |
|Files Activity||Files Written||Indicates that separate files were created during the analysis of the content or file. Data about the written files are provided. This data includes: |
|Files Activity||Files Deleted||Lists the files that were deleted during the analysis. This data includes the file path of the deleted files.|
|Registry||Added Registry||Lists the registry data that was added during the analysis. These values are included in the report:|
|Registry||Delete Registry||Lists the registry data that was deleted during the analysis. These values are included in the report: |
|Network Activity||Connections||Lists the network connections that were detected during the analysis.|
For connections that were attempted, these fields are included:
|Network Activity||HTTP Flow||Lists the HTTP requests that were detected during the analysis in the sandbox environment.This data is listed in a table: |
|Network Activity||DNS Request||Lists the DNS requests that were detected during the analysis in the sandbox environment. These fields are listed:|
|Malicious Activity||Suspicious||If a medium to highly severe signature is fired during the analysis, this field describes the activity.|
|Malicious Activity||Signature||Information about the signature.|
|Malicious Detections||Indicates how malicious activity was classified. The values in the table of the report include: |
|Activity Tree||Lists all the activities that emerged or were spawned in the sandbox environment. This includes all processes, written files, and connections that were established. Activities are shown in a tree report.|
|Screenshots||List of screenshots that were taken during the analysis in the sandbox environment. A maximum of 10 screenshots are shown.|
Updated 11 months ago