Creating a File Policy
To create a file policy, follow these steps:
Step 1. Navigate to Policies > Access Control > Malware & File. The Malware & File Policy page appears.
Step 2. Click the New File Policy button, and the New File Policy window appears (see Figure 16-9).
Figure 16-9 Creating a New File Policy
Step 3. Name the policy and click the Save button. The file policy editor appears.
Step 4. Click the Add Rule button. The file rule editor appears.
Step 5. Select Any from the Application Protocol drop-down to detect files over multiple application protocols.
Step 6. Make a selection from the Direction of Transfer drop-down. Depending on the underlying application protocol for a file transfer, the direction can be limited. For example, the HTTP, FTP, and NetBIOS-ssn (SMB) protocols can be monitored for file transfers in any direction—upload or download. However, SMTP (upload only) and POP3/IMAP (download) support only unidirectional file transfers.
Figure 16-10 explains the reasons for unidirectional transfer with the SMTP, POP3, and IMAP protocols. Whereas SMTP is used for outbound transfers, POP3/IMAP is used to download incoming emails and any attachments.
Figure 16-10 Directions of Protocols Associated with Inbound and Outbound Emails
Step 7. Select the file type categories you want to process and click Add to add them to the rule. You can also search for specific file types directly in the search field.
Step 8. Select an action from the Action drop-down. You will find four options in the drop-down:
- Detect Files: This action detects a file transfer and logs it as a file event without interrupting the transfer.
- Block Files: This action blocks files—based on the file types selected in the rule.
- When blocking a file, optionally you can select the Reset Connection option. It allows the blocked application session to close before the connection times out by itself, which may take several minutes depending on the application.
- Figure 16-11 displays a file rule that blocks the transfer of any system and executable files without analyzing them for malware. According to the configuration, when a file matches this rule, a threat defense sends reset packets to terminate any associated connection.
Figure 16-11 A File Rule with the Block Files Action
- Figure 16-12 displays a file rule that can detect the transfer of Office documents, archive, and PDF files. This rule is not set to analyze any files for malware; however, when there is a match, it lets the threat defense store the detected files in its local storage.
Figure 16-12 Detection-Only File Rule
- Malware Cloud Lookup: This action enables a threat defense to perform malware analysis locally and remotely. The threat defense allows an uninterrupted file transfer regardless of the file’s disposition.
- Block Malware: This action is similar to the Malware Cloud Lookup action, but it enables the threat defense to block files that return a disposition of malware.
In a nutshell, the first two options—Detect Files and Block Files—allow you to control files based on their types. The last two options—Malware Cloud Lookup and Block Malware—enable you to control files based on file disposition, and the use of these options requires the malware license.
A file policy does not evaluate file rules based on its position; rather, it uses the order of actions. The order of actions is Block Files, Block Malware, Malware Cloud Lookup, and Detect Files. When performing advanced analysis, a threat defense can engage Spero analysis, local malware analysis, and dynamic analysis. You can enable these detection features by selecting the check box for each in the rule editor.
Step 9. After you add rules with the desired conditions and options, click the Save button in the Add Rule window. The browser returns to the Malware and File Policy editor page.
Figure 16-13 shows the creation of two file rules. The first rule blocks system and executable files with connection reset enabled. The second rule can detect only archive file types, Office documents, and PDF files. Files that match this rule are also stored.
Figure 16-13 Two File Rules for Different File Types Applying Different Actions
The previous two file rules are able to detect and block files solely based on their file types. Those files may or may not contain malware. However, if you want to detect and block those files only when the files contain malware, you can select the Block Malware action.
Figure 16-14 shows an alternative—but intelligent—way to block files. This particular rule (which requires a malware license) enables a threat defense to block the transfer of a file and to store it locally if the file is infected with malware. When blocking the file transfer, the threat defense sends reset packets to terminate any associated connection. This rule does not allow a threat defense to store a file if the file appears to be clean. This prevents storage from getting full of clean or benign files.
Figure 16-14 A File Rule with a Block Malware Action
Step 10. Optionally, on the Advanced tab, you can enable additional features for advanced analysis and inspection. Figure 16-15 shows the advanced settings of the file policy. For example, here you can adjust the threshold level of the dynamic analysis threat score for blocking files based on threat score, enable inspection of archive file types, define the depth of inspection for nested archive files, and so on.
Figure 16-15 Advanced Settings of a File Policy
Step 11. Click the Save button on the policy editor to save the changes on the file policy.
Leave a Reply