Cato Networks Knowledge Base

Configuring the Anti-Malware Policy

This article explains how to configure rules for the unified Anti-Malware policy, and how to create exceptions for specific files. For a general overview of the policy and the Anti-Malware and NG Anti-Malware engines, see What is the Cato Anti-Malware Policy?.

Overview of the Anti-Malware Rulebase

The Cato Anti-Malware and NG Anti-Malware engines scan WAN and Internet traffic for potentially malicious files. You can choose to use the default Cato policy that inspects all traffic, or create rules that define a custom policy to meet the requirements of your organization.

For each protection scope, configure the action that is applied to a malicious or suspicious file. You can also configure tracking options for the rules to generate alerts and email notifications.

The Anti-Malware and NG Anti-Malware engines scan HTTP, HTTPS, and FTP traffic.

Configuring the Anti-Malware Policy

After you enable the Anti-Malware and NG Anti-Malware services, you can choose to use the default policy or add block and allow rules.

The NG Anti-Malware service requires that the Anti-Malware service is also enabled. When you disable Anti-Malware, NG Anti-Malware is automatically disabled as well.

For more about the settings in the Anti-Malware policy, see below Explaining the Anti-Malware Fields and Settings.


Using the Default Anti-Malware Policy

The default Cato Anti-Malware policy scans all downloaded files in your network. You can choose to use the default policy that inspects all files, or add block and allow rules to create a custom policy. There is a final implicit rule that matches and then scans all downloaded files and blocks the ones with a suspicious or malicious verdict.

To use the default Unified Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware.

  2. Click toggle.png to enable (green) the Anti-Malware and NG Anti-Malware services for the account.

  3. Click Save.

    The Anti-Malware default policy is enabled.

Customize the Anti-Malware Policy

You can customize the Anti-Malware policy by adding rules to scan the specified traffic and either block or allow malicious or suspicious files.

While instances where you may want to

  • Make sure that the allow rule has a higher priority (closer to the top of the rulebase) then a block rule that matches the same traffic.

  • Create Anti-Malware rules with the Allow action to let users download files even they are suspicious or malicious. For example, you can add a rule that allows downloading files for the IT department.

For each rule, you can configure the following in the New panel for new rules, and in the Edit panel for existing rules:

  • Name of the Anti-Malware rule

  • Rule Order to define the priority of the rule (rules that are at the top of the rulebase have a higher priority)

  • Scope to define the scope of the traffic that the Cato Cloud scans for downloaded files (All, WAN, or Internet)

  • Source: to define the source of the traffic for this rule

  • What to apply the action to traffic that matches selected objects

  • Verdict to select types of files the rule is applied to (All files, Suspicious, or Malicious)

  • Action to select whether the rule will Block or Allow files that match

  • Track options to define when a rule generates an Event and sends an Email Notification for matching traffic

To add rules to customize the Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware

  2. Click New.

    The New panel opens.

  3. Enter the Name for the rule.

  4. Use the slider to enable (green) or disable (gray) the rule.

  5. By default, the Rule Order is assigned in sequential order with the new rule at the bottom of the rulebase. You can change the order when creating the rule or directly in the rulebase table.

  6. Configure the Scope of the traffic for this rule: All, WAN, or Internet,

  7. In the Source section, search or select one or more object types .

  8. Define What the rule applies to. For example, a service, an application, a custom or predefined category.

  9. Configure the Verdict of the scan that this rule blocks or allows. Options are: All files (the default value), Suspicious, or Malicious.

  10. Expand the Actions section for the rule.

    1. Click Actions and select Block or Allow.

    2. (Optional) Configure Track options to generate Event and Email Notifications and set the time when the rule is active. For more information, see: Working with Email Notifications for the Account.

  11. Click Apply.

    The rule is added to the Anti-Malware policy.

  12. Click Save.

    The rule is saved.

Managing the Anti-Malware Policy

This section explains how to manage the rules in the Anti-Malware policy, including: changing the rule priority, enabling, and deleting rules.

Changing the Rule Priority

Change the priority of a rule to determine when the rule action is applied to a matching file. Rules are applied sequentially to each file,so once a file matches a rule, the rules with lower priority aren't applied to it.

Explaining the Anti-Malware Fields and Settings

This section explains the different settings in the Anti-Malware rulebase. The Verdict and Tracking settings are applied to both the Anti-Malware and NG Anti-Malware protection layers. For a Verdict that is Suspicious, this settings are only relevant to the NG Anti-Malware protection layer. These are the available actions for a file:

  • Block - Blocks and file and prevents a user downloading it to the local host or device.

    Files that match the Block action are deleted immediately.

  • Allow - The identified file is allowed to continue to the destination with no action taken.

Use the Tracking option to generate events and email notification alerts for files that are identified by the Anti-Malware and NG Anti-Malware layers. To monitor activity of the Unified Anti-Malware policy, create an allow rule with Tracking option to generate events.

For each of the actions that are available in the more icon, you need to save the changes after the action. For example, after you disable or delete a rule, you then need to save the changes to the Anti-Malware policy.




Enter a Name for the rule.


Traffic that this rule applies to: All, WAN, or Internet.


Source of the traffic for this rule. Objects and settings include: Floating Subnet, Global Range, Group, Host, Interface Subnet, IP, IP Range, Network Interface, Site, System Group, User, SDP User, or Any.


Only apply the action to traffic that matches objects for: Applications (HTTP(S) and FTP), Application Categories, Custom Applications, Custom Categories, Custom Services (HTTP(S) and FTP), Domain Names, FQDN, Services, or Any


Only apply the action files with the specific scan verdict (results): Malicious, Suspicious, or Any.


Apply the allow or block action to files that match the rule.


These actions are available in the more icon for each rule:

  • Add Rule Above - add a new rule before the selected rule

  • Add Rule Below - add a new rule after the selected rule

  • Disable or Enable the selected rule

  • Delete Rule - Delete the current rule that is enabled, and then there is a confirmation pop-up window

Creating an Exception for a File

The Event Discovery window lets you use the file hash to create exceptions for the Anti-Malware and NG Anti-Malware engines. After you open an event for the specific file, use the Exception Configuration window to add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.

To create an exception for a file:

  1. From the navigation menu, select Monitoring > Events.

  2. Filter for the Anti-Malware event.

  3. From the Time column, expand the event.

  4. In the event, click the File Hash link.

    The Exception Configuration window opens.

  5. From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.

    To create a permanent exception, select Forever.

  6. Click OK.

    The exception is created and added to the File Exceptions section in the Threat Protection.


Removing a File Exception

Remove an exception for the Anti-Malware policy when it is no longer necessary.

To remove file exceptions for the Anti-Malware policy:

  1. From the navigation menu, select Configuration > Threat Protection.

  2. In the File Exceptions section, select one or more file exceptions.

  3. Click the delete icon Delete_grey.png.

  4. In the confirmation window, click OK.

    The file exceptions are removed.

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.