Manage File Inspection and File Analysis

Protect your network from malicious files using file inspection and file analysis.

Malicious files can be encountered through an explicit download, such as when a user clicks a link in an email, or through a behind-the-scenes 'drive-by' download scenario.

Secure Access offers two options for evaluating files for malicious content:

Once inspected and analyzed, Secure Access allows "good" files through and blocks the downloading of malicious files. When a malicious file is deleted, Secure Access shows the end user a block page.

Overview of Configuring File Inspection and Analysis

To maximize protection, enable both options. If File Inspection does not detect that a file is malicious, and Secure Malware Analytics is not enabled, the file can be downloaded when requested.

To configure these features:

  • Enable file inspection and analysis in a web profile and configure the features
  • Ensure that decryption is enabled in the web profile
  • Configure block notification pages and choose the applicable page in the web profile
  • Associate the web profile with an internet acces rule. See Manage Web Profiles

File Inspection Details

When File Inspection is enabled, Secure Access scans files using two features:

Cisco Advanced Malware Protection (AMP)

When File Inspection is enabled, Secure Access uses AMP to scan for malicious files.

AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Secure Malware Analytics intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology.

For more information about AMP, see Advanced Malware Protection (AMP).

AMP File limitations

AMP can compute the hash of an archive file but cannot compute the hashes of files contained by archive files.

Antivirus Scanner

When File Inspection is enabled, an antivirus scanner attempts to scan all files.

The system begins streaming large files from the proxy to the user after scanning up to 50 MB to ensure that the user starts receiving the download while scanning continues in the background. If a file is identified as malicious, the connection is immediately terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious.

Secure Access blocks downloads if there is a scanning error or the file is found to be corrupt. Once virus scanning is complete, the file is either delivered or the connection is terminated.

Antivirus scanner file limitations

Secure Access antivirus scanner:

  • Scans only the first 50 MB of a file and does not scan any content of files greater than 50 MB in size.
  • Decompresses and scans archives (such as .zip or .rar files) to a maximum of 16 levels of recursion, and blocks files compressed above 16 levels of recursion.
  • Cannot decompress and scan a password-protected archive as the file cannot be decompressed without a password. Secure Access can block a password-protected archive under the scanner's Protected Archive category.

Cisco Secure Malware Analytics (formerly Threat Grid) Details

Secure Malware Analytics is Cisco's malware analysis and threat intelligence platform. Secure Malware Analytics generates and gathers malware intelligence through static and dynamic runtime sample analysis, as well as from other Cisco integrations.

When you enable Secure Malware Analytics, files are first evaluated by the File Inspection engines. If files are neither known to the AMP file reputation service nor blocked by the anti-virus (AV) scanner, Secure Access can send them to Secure Malware Analytics for analysis, if this option is enabled.

When a file is submitted to Secure Malware Analytics for further examination, Secure Malware Analytics may sandbox the file so that it can be analyzed in safety to determine whether or not it is malicious.

If Secure Malware Analytics determines that a file is malicious, Secure Malware Analytics sends this information to AMP so that the File Inspection feature blocks any future attempts to download the file. (Secure Malware Analytics does not protect against the first download of a new or unknown malicious file.)

For more information about Secure Malware Analytics, see Cisco Secure Malware Analytics (formerly Threat Grid).

For essential information about enabling Secure Malware Analytics, see Enable File Analysis by Secure Malware Analytics.

Supported Files and File Limitations

Cisco Secure Malware Analytics:

  • Accepts the following file types:
    • bat, bz2, chm, dll, doc, docx, eml, exe, gz, hta, hwp, hwt, hwpx, iso, jar, jtd, jtt, jtdc, jttc, lnk, msg, msi, mhtml, rar v5, rtf, xls, xlsx, ppt, pptx, pdf, ps1, sep, slk, swf, tar, vbe, vbn, vbs, wsf, xml, xps, xz, zip, 7-zip
    • Note that this list of accepted file types includes MS Office documents, PDFs and executables.
  • Does not accept the MIME file type text/html.
  • Does not accept files greater than 50 MB in size.

For more information about supported file types, see the online help in Secure Malware Analytics, under _Sample File Types.


Secure Malware Analytics Quota

Your licensing package may not support sending unlimited files to Secure Malware Analytics. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package. See also Cisco Secure Access Packages.

If your package is limited, Secure Access can send only 500 files for analysis per rolling 24 hour period. To monitor this file count, see Monitor File Inspection and Analysis Activity.

Secure Malware Analytics Sandbox

The sandbox is a protected environment within which Secure Malware Analytics detonates unknown files to determine whether or not they are harmful.


Important! You cannot change the selected sandbox region

The first time you enable Secure Malware Analytics, you must select a sandbox region: Europe or North America.

Once selected, this location cannot be changed.

Not all files submitted to Secure Malware Analytics are sandboxed.

When you enable Secure Malware Analytics for the first time, you must choose a sandbox location. Once this location is set, you are sent an email from Secure Malware Analytics with credential information including your username and a link to reset your password, which you must do within 36 hours.

Dispute a Threat Categorization < Manage File Inspection and File Analysis > Enable File Inspection