Payload analysis

After you enable inline payload analysis in a policy, you can select how ETP proxy scans these types of files:

  • Small. Files that are less than 5 MB in size.

  • Large. Files that are 5 MB to 2 GB in size.

  • Huge. Files that are more than 2 GB in size.

In a policy, you select the action that's associated with large and huge file types. By default, with inline payload analysis, small files (files that are less than 5 MB) are always scanned inline or before the file is downloaded.

File Type

Action

Description

Small

Inline scanning

Scans files or website content before end users see downloaded content. This action is available for small files (files that do not exceed 5 MB).

For more information, see Inline payload analysis.

Large

Block - Error Page

Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page to indicate that the operation is not allowed.

Large

Allow and Scan

Scans large files up to 2 GB with static malware analysis. This action:

  1. Allows the end user to download the file.file.
  2. The file is then scanned within a four hour time period. If the file is malicious, a threat event is reported.
By default, this action is enabled for large files. For more information, see [Static malware analysis of large files](doc:payload-analysis#static-malware-analysis-of-large-files).

With the Allow and Scan action, you can enable dynamic analysis to scan files that are 5 MB to 100 MB in size within an isolated, sandbox environment. For more information, see Dynamic malware analysis.

To scan large files, your organization needs to be licensed for Advanced Sandbox.

Large

Bypass

Allows the end user to download the file. No file scanning occurs.

Huge

Block - Error Page

Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page.
By default, this action is enabled for huge files.

Note: Some web servers use HTTP streaming without providing file size when the download begins. In this case, ETP starts the download process, but it cancels and blocks the download of a huge file in the middle of the process based on this policy action. No error page is shown in this situation.

Huge

Allow

Allows end users to download the file. No file scanning occurs.

Inline payload analysis

Organizations that are licensed for ETP Advanced Threat can enable inline payload analysis to scan content on websites. For example, this feature allows ETP to scan a file like a PDF or an image.

If the proxy is enabled, you can enable inline payload analysis in a policy.

When inline payload analysis is enabled, malware scanning is performed on responses from the origin server. The HTTP and HTTPS payload from risky domains or files in a file sharing application are scanned. This feature allows the proxy to scan files that are up to 5 MB in size.

Note these points:

  • Inline payload analysis is applied to traffic sent through ETP Proxy.

  • With the selective proxy, only risky domains are sent to the proxy. With the full web proxy, all traffic is sent to the proxy.

When you enable inline payload analysis in a policy, you can also define how ETP handles files that exceed 5 MB. You can configure ETP to scan large files that are 5 MB to 2 GB in size after they are downloaded. For more information, see Static malware analysis of large files. If you further enable dynamic analysis, you can scan files that are 5 MB to 100 MB in an isolated sandbox environment where files are opened, executed, and observed for harmful activity. For more information, see Dynamic malware analysis.

If the payload analysis detects a threat, the response is blocked or monitored based on the action that's assigned to the malware threat category.

When you enable inline payload analysis:

  • You can also choose to block or allow files that cannot be scanned by ETP Proxy. Unscannable files are files that are encrypted or compressed. By default, this setting is disabled and these files are allowed in your enterprise.

  • ETP also analyzes websites for zero-day phishing threats. With this feature, ETP can detect webpages that were created with phishing toolkits. For more information, see Zero-day phishing detection.

You can also use inline payload analysis for DLP. With DLP, you can scan data that's uploaded by users and is up to 5 MB in size. DLP scans this data for sensitive information. For more information, see Data loss prevention.

Static malware analysis of large files

While inline payload analysis allows ETP Proxy to scan files or website content that's up to 5 MB in size, ETP Proxy cannot scan files that exceed 5 MB inline or before it's downloaded to the user's browser. In ETP, you define how larger files are handled. You can allow or block the download of these larger files. If these files range from 5 MB to 2 GB in size, you can configure ETP Proxy to scan these files out of band or after they are downloaded to the browser.

Static malware analysis of large files scans files offline or after they are downloaded by the end user. Static malware analysis scans the code without running or executing it. This feature is enabled when you select the Allow and Scan action for large files. These files are scanned with the same static analysis engines as small files.

If you want to analyze content when it's executed in a secure, sandbox environment with dynamic scanners, see Dynamic malware analysis. If files scanned with static malware analysis are considered suspicious and dynamic analysis is also enabled in the policy, these files are automatically analyzed in the sandbox environment with dynamic analysis.

Files are scanned within a four hour period after download. If ETP Proxy detects malware, a threat event is reported in ETP.

Because the scan occurs after the file is downloaded, the malicious file is not blocked. As a result, you may need to run an anti-virus scan on the machine where the file was downloaded or configure your organization's security information and event management (SIEM) solution to scan the machine for malware.

📘

To enable or use this feature, your organization needs to be licensed for Advanced Sandbox.

Dynamic malware analysis

If your enterprise is licensed for the Sandbox module and you selected the Allow and Scan action for large files, you can enable dynamic malware analysis. This feature scans files in a secure sandbox environment that's isolated from your network. Files are automatically scanned offline or after the file is downloaded.

📘

Currently, dynamic analysis scans files or content that range from 5 MB to 100 MB in size.

Unlike static malware analysis that scans file contents, dynamic malware analysis opens and executes the files in an isolated sandbox environment and observes whether harmful actions are detected. Sandbox thoroughly analyzes these files using a number of reverse engineering techniques to test how the files behave.

The sandbox environment:

  • Scans files offline (after the file is downloaded).

  • Uses advanced detection technology to analyze files and circumvent malware evasion techniques.

  • Executes or launches suspicious code within the controlled sandbox environment and observes its behavior.

  • Generates a report. Any malicious code and URLs are detailed in a deep scan report that's available for download in ETP reporting.

  • Data from analysis is used to identify malware in real time. This data can be used to identify malware with the same or similar code. For example, dynamic malware analysis can potentially identify zero-day phishing threats.

📘

This feature is available to organizations that are licensed for the Advanced Sandbox module.

If you enable dynamic malware analysis to scan files in a sandbox environment, it also scans files as part of inline payload analysis. Files that are scanned with static malware analysis and are considered suspicious are also scanned within the sandbox environment when the dynamic analysis feature is enabled.

If a threat is detected in the sandbox environment, a deep scan report with test and scan results is available with the associated threat event. You can download the report in PDF format. For more information, see Deep scan report for dynamic malware analysis.

📘

If scanned content uses a one-time token or a one-time URL, the token or URL may expire, or it may be used in the sandbox environment. As a result, a user's experience is interrupted when they attempt to access this content. To resolve this issue, the end user can initiate the request or download again. An ETP administrator can also add the domains for these requests to an exception list.

Deep scan report

If Dynamic Analysis is enabled and a threat was detected for a file that is 5 MB to 100 MB, a deep scan report in PDF format is available for download in ETP. You can download the report from the associated threat event. The report is available for download for 30 days.

The deep scan report details the results of scans completed in the sandbox environment. Depending on the type of content that's analyzed and the scan results, the report may contain this data.

Report Section

Field

Definition

Summary

Analysis duration

Amount of time in seconds for the analysis.

Summary

Detonation date

The date and time the analysis was started in UTC format.

Summary

File executed as

Indicates the type of file that was scanned.

Summary

File magic

File type information.

Summary

SHA1

SHA-1 hash of the analyzed file or content.

Summary

SHA256

SHA-256 hash of the extracted file.

Summary

Sandbox version

Version number of Sandbox.

Summary

File Type

The type of file that was scanned.

Summary

Submissions date

Timestamp when dynamic malware analysis was triggered by a file. The timestamp is in UTC format.

Summary

Status

Status of the scan.

Summary

Score

The score of the file that indicates whether it’s malicious or not.

  • 0 indicates the file is malicious.
  • 100 indicates the file is not malicious.

Mitre Attack Matrix

Lists the attack techniques that were observed in the sandbox scan.

Processes

List of processes that were started during the analysis. The information in this section may include:

  • Start Time. Date and time the process was started in UTC format.
  • Process. Path of the started process.
  • Parent Process. Path of the parent process.
  • Command Line. Command line that was used to start the process. This value can be a maximum of 512 characters. The command line may be truncated if it’s over this limit.

Files Activity

Files Written

Indicates that separate files were created during the analysis of the content or file. Data about the written files are provided. This data includes:

  • File Path. File path of the created file or files.
  • Process. Path of the process.

Files Activity

Files Deleted

Lists the files that were deleted during the analysis. This data includes the file path of the deleted files.

Registry

Added Registry

Lists the registry data that was added during the analysis. These values are included in the report:

  • **Key**. Registry key that was added.
  • **Value**. The registry key value that was added.
  • **Data**. The registry data that was added
  • **Timestamp**. The date and time the key was added to the registry in UTC format.
  • **Process**. Path of the process that was used to add the key to the registry.

Registry

Delete Registry

Lists the registry data that was deleted during the analysis. These values are included in the report:

  • Key. Registry key that was deleted.
  • Timestamp. The data and time the key was deleted from the registry in UTC format.
  • Process. Path of the process that was used to delete the registry key.

Network Activity

Connections

Lists the network connections that were detected during the analysis.

For connections that were attempted, these fields are included:

  • IP address. IP address of the remote machine.
  • Port. Port of the remote machine.
  • Protocol. Protocol used for the connection.
  • Hostname. Hostname of the remote machine.
  • Process. If known, this is the path to the process that establishes the connection.

Network Activity

HTTP Flow

Lists the HTTP requests that were detected during the analysis in the sandbox environment.This data is listed in a table:

  • URI. URL that is requested.
  • HTTP Method. Shows the method that was used for traffic.
  • HTTP User Agent. Shows the user-agent string in the request.
  • IP Address. IP address of the remote server.
  • Process. If known, this is the path to the process that establishes the connection.

Network Activity

DNS Request

Lists the DNS requests that were detected during the analysis in the sandbox environment. These fields are listed:

  • IP Address. IP address in the response.
  • Domain. Hostname that was requested.

Malicious Activity

Suspicious

If a medium to highly severe signature is fired during the analysis, this field describes the activity.

Malicious Activity

Signature

Information about the signature.

Malicious Detections

Indicates how malicious activity was classified. The values in the table of the report include:

  • Classification. The category or name provided for threat mitigation.
  • Classification Type: The type of classification that was given to the activity.
  • Found in. The path, file name, application name, URL, or IP address where the malicious activity is found.
  • Artifact Type. The type of artifact. For example, this can be a file, URL, process, or IP address.
  • Threat Name: Name of the threat.

Activity Tree

Lists all the activities that emerged or were spawned in the sandbox environment. This includes all processes, written files, and connections that were established. Activities are shown in a tree report.

Screenshots

List of screenshots that were taken during the analysis in the sandbox environment. A maximum of 10 screenshots are shown.


Did this page help you?