Secure Access Help Center

Manage File Inspection and File Analysis

Protect your network from malicious files using file inspection and file analysis.

Malicious files can be encountered through an explicit download, such as when a user clicks a link in an email, or through a behind-the-scenes 'drive-by' download scenario.

Secure Access offers two options for evaluating files for malicious content:

Once inspected and analyzed, Secure Access allows "good" files through and blocks the downloading of malicious files. When a malicious file is deleted, Secure Access shows the end user a block page.

Overview of Configuring File Inspection and Analysis

To maximize protection, enable both options. If File Inspection does not detect that a file is malicious, and Secure Malware Analytics is not enabled, the file can be downloaded when requested.

To configure these features:

  • Enable file inspection and analysis in a web profile and configure the features
  • Ensure that decryption is enabled in the web profile
  • Configure block notification pages and choose the applicable page in the web profile
  • Associate the web profile with an internet acces rule. See Manage Web Profiles

File Inspection Details

When File Inspection is enabled, Secure Access scans files using two features:

Cisco Advanced Malware Protection (AMP)

When File Inspection is enabled, Secure Access uses AMP to scan for malicious files.

AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Secure Malware Analytics intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. For more information about AMP, see Advanced Malware Protection (AMP).

Antivirus Scanner

When File Inspection is enabled, an antivirus scanner attempts to scan all files. The system begins streaming large files from the proxy to the user after scanning up to 50 MB to ensure that the user starts receiving the download while scanning continues in the background. If a file is identified as malicious, the connection is immediately terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious. Secure Access only scans the first 50 MB and does not scan the content of any files over 50 MB. For more information on file scanning size, see Limitations and Range Limits.

Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without a password. However, a password-protected archive can be blocked under the antivirus' Protected Archive category. Secure Access blocks downloads if there is a scanning error or the file is found to be corrupt. Once virus scanning is complete, the file is either delivered or the connection is terminated.

Cisco Secure Malware Analytics (formerly Threat Grid) Details

Secure Malware Analytics is Cisco's malware analysis and threat intelligence platform. Secure Malware Analytics generates and gathers malware intelligence through static and dynamic runtime sample analysis, as well as from other Cisco integrations.

When you enable Secure Malware Analytics, files are first evaluated by the File Inspection engines. If files are neither known to the AMP file reputation service nor blocked by the anti-virus (AV) scanner, Secure Access can send them to Secure Malware Analytics for analysis, if this option is enabled.

When a file is submitted to Secure Malware Analytics for further examination, Secure Malware Analytics may sandbox the file so that it can be analyzed in safety to determine whether or not it is malicious.

If Secure Malware Analytics determines that a file is malicious, Secure Malware Analytics sends this information to AMP so that the File Inspection feature blocks any future attempts to download the file. (Secure Malware Analytics does not protect against the first download of a new or unknown malicious file.)

For more information about Secure Malware Analytics, see Cisco Secure Malware Analytics (formerly Threat Grid).

For essential information about enabling Secure Malware Analytics, see Enable File Analysis by Secure Malware Analytics.

Supported Files for Analysis

The following file types are supported for submission to Secure Malware Analytics:
bat, bz2, chm, dll, doc, docx, eml, exe, gz, hta, hwp, hwt, hwpx, iso, jar, jtd, jtt, jtdc, jttc, lnk, msg, msi, mhtml, rar v5, rtf, xls, xlsx, ppt, pptx, pdf, ps1, sep, slk, swf, tar, vbe, vbn, vbs, wsf, xml, xps, xz, zip, 7-zip

The following mime types are not supported for submission to Secure Malware Analytics: text/html

MS Office documents, PDFs and executables are all submitted to Secure Malware Analytics.

Files over 50 MB in size are not submitted to Secure Malware Analytics.

For more information about supported file types, see the online help in Secure Malware Analytics, under _Sample File Types.

👍

Secure Malware Analytics Quota

Your licensing package may not support sending unlimited files to Secure Malware Analytics. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package. See also Cisco Secure Access Packages.

If your package is limited, Secure Access can send only 500 files for analysis per rolling 24 hour period. To monitor this file count, see Monitor File Inspection and Analysis Activity.

Secure Malware Analytics Sandbox

The sandbox is a protected environment within which Secure Malware Analytics detonates unknown files to determine whether or not they are harmful.

🚧

Important! You cannot change the selected sandbox region

The first time you enable Secure Malware Analytics, you must select a sandbox region: Europe or North America.

Once selected, this location cannot be changed.

Not all files submitted to Secure Malware Analytics are sandboxed.

When you enable Secure Malware Analytics for the first time, you must choose a sandbox location. Once this location is set, you are sent an email from Secure Malware Analytics with credential information including your username and a link to reset your password, which you must do within 36 hours.

Dispute a Threat Categorization < Manage File Inspection and File Analysis > Enable File Inspection

Updated 4 months ago