Configuring the Anti-Malware Policy

This article explains how to configure rules for the unified Anti-Malware policy, and how to create exceptions for specific files. For a general overview of the policy and the Anti-Malware and NG Anti-Malware engines, see What is the Cato Anti-Malware Policy?.

Overview of the Anti-Malware Rulebase

The Cato Anti-Malware and NG Anti-Malware engines scan WAN and Internet traffic for potentially malicious files. You can choose to use the default Cato policy that inspects all traffic, or create rules that define a custom policy exceptions to meet the requirements of your organization. For more information on managing Anti-Malware policy exceptions, see Managing Anti-Malware Exceptions.

For each protection scope, configure the action that is applied to a malicious, suspicious, or encrypted file. You can also configure tracking options for the rules to generate alerts and email notifications.

The Anti-Malware and NG Anti-Malware engines scan HTTP, HTTPS, and FTP traffic. 

Supported File Size

The maximum supported file size for the Anti-Malware and Next Generation Anti-Malware is 100 MB.

Anti-Malware Protection for Encrypted Files

The Anti-Malware engines have the ability to identify and block downloads of encrypted files. This can help secure your organization by preventing users from downloading malicious files disguised as legitimate encrypted files, which is a common technique in ransomware and other cyber attacks. The engines don't scan the contents of the encrypted file, but identify it and return a verdict of Encrypted for the file. You can define rules to allow or block Encrypted files, according to the needs of your organization.

  • Since the Anti-Malware policy uses an ordered rulebase, make sure that an allow rule has a higher priority (closer to the top of the rulebase) than a block rule that matches the same traffic.

The encrypted files detected by the Anti-Malware engines include password-protected files of the following types: Word, Excel, PowerPoint, ZIP, and PDF

Configuring the Anti-Malware Policy

After you enable the Anti-Malware and NG Anti-Malware services, you can choose to use the default policy or add block and allow rules.

The NG Anti-Malware service requires that the Anti-Malware service is also enabled. When you disable Anti-Malware, NG Anti-Malware is automatically disabled as well.

 

Anti-Malware__1_.png

Using the Default Anti-Malware Policy

The default Cato Anti-Malware policy scans all downloaded files in your network. You can choose to use the default policy that inspects all files, or add block and allow rules to create a custom policy. There is a final implicit rule that matches and then scans all downloaded files and blocks the ones with a suspicious or malicious verdict.

To use the default Unified Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware.
  2. Click toggle.png to enable (green) the Anti-Malware and NG Anti-Malware services for the account.

  3. Click Save.

    The Anti-Malware default policy is enabled.

Managing the Anti-Malware Policy

This section explains how to manage the rules in the Anti-Malware policy, including: changing the rule priority, enabling, and deleting rules.

Changing the Rule Priority

Change the priority of a rule to determine when the rule action is applied to a matching file. Rules are applied sequentially to each file,so once a file matches a rule, the rules with lower priority aren't applied to it.

 

To change the priority of a rule:

  1. Hover over the # column of the specific rule. Click on move.png and drag the rule higher to increase or lower to decrease the rule priority.
  2. Click Save.

Creating an Exception for a File

Sometimes there is a file blocked by the Anti-Malware engines that you know is safe, and you need to allow it in the network. For more information on managing Anti-Malware exceptions, see Managing Anti-Malware Exceptions.

The Events page lets you use the file hash to create exceptions for the Anti-Malware and NG Anti-Malware engines. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel to add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.

File Exceptions for Anti-Malware and Data Protection API

File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the App & Data API Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the App & Data API Protection page.

To create an exception for a file:

  1. From the navigation menu, select Home > Events.
  2. Filter for the Anti-Malware event.
  3. From the Time column, expand the event.

  4. In the event, click the File Hash link.

    The Exception Configuration panel opens.

    exception_configuration.png

  5. From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.

    To create a permanent exception, select Forever.

  6. Click Apply.

    The exception is created and added to the File Exceptions section in the Anti-Malware Protection Policy and the Threat Protection tab in the SaaS Security API page.

    AM_FileExceptions.png

Removing a File Exception

Remove an exception for the Anti-Malware policy when it is no longer necessary.

To remove file exceptions for the Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware.
  2. Select the Protection Policy tab.
  3. In the File Exceptions section, click Delete.png for the exception you want to remove.

  4. Click Save.

    The exception is removed.

Was this article helpful?

0 out of 0 found this helpful

0 comments