Configuring the Anti-Malware Policy

This article explains how to configure rules for the unified Anti-Malware policy, and how to create exceptions for specific files. For a general overview of the policy and the Anti-Malware and NG Anti-Malware engines, see What is the Cato Anti-Malware Policy?.

Overview of the Anti-Malware Rulebase

The Cato Anti-Malware and NG Anti-Malware engines scan WAN and Internet traffic for potentially malicious files. You can choose to use the default Cato policy that inspects all traffic, or create rules that define a custom policy to meet the requirements of your organization.

For each protection scope, configure the action that is applied to a malicious, suspicious, or encrypted file. You can also configure tracking options for the rules to generate alerts and email notifications.

The Anti-Malware and NG Anti-Malware engines scan HTTP, HTTPS, and FTP traffic.

Anti-Malware Protection for Encrypted Files

The Anti-Malware engines have the ability to identify and block downloads of encrypted files. This can help secure your organization by preventing users from downloading malicious files disguised as legitimate encrypted files, which is a common technique in ransomware and other cyber attacks. The engines don't scan the contents of the encrypted file, but identify it and return a verdict of Encrypted for the file. You can define rules to allow or block Encrypted files, according to the needs of your organization.

  • Since the Anti-Malware policy uses an ordered rulebase, make sure that an allow rule has a higher priority (closer to the top of the rulebase) than a block rule that matches the same traffic.

The encrypted files detected by the Anti-Malware engines include password-protected files of the following types: Word, Excel, PowerPoint, ZIP, and PDF

Configuring the Anti-Malware Policy

After you enable the Anti-Malware and NG Anti-Malware services, you can choose to use the default policy or add block and allow rules.

The NG Anti-Malware service requires that the Anti-Malware service is also enabled. When you disable Anti-Malware, NG Anti-Malware is automatically disabled as well.

For more about the settings in the Anti-Malware policy, see below Explaining the Anti-Malware Fields and Settings.

Anti-Malware__1_.png

Using the Default Anti-Malware Policy

The default Cato Anti-Malware policy scans all downloaded files in your network. You can choose to use the default policy that inspects all files, or add block and allow rules to create a custom policy. There is a final implicit rule that matches and then scans all downloaded files and blocks the ones with a suspicious or malicious verdict.

To use the default Unified Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware.

  2. Click toggle.png to enable (green) the Anti-Malware and NG Anti-Malware services for the account.

  3. Click Save.

    The Anti-Malware default policy is enabled.

Customize the Anti-Malware Policy

You can customize the Anti-Malware policy by adding rules to scan the specified traffic and either block or allow malicious, suspicious, or encrypted files.

While instances where you may want to

  • Make sure that the allow rule has a higher priority (closer to the top of the rulebase) than a block rule that matches the same traffic.

  • Create Anti-Malware rules with the Allow action to let users download files even they are suspicious, malicious, or encrypted. For example, you can add a rule that allows downloading files for the IT department.

For each rule, you can configure the following in the New panel for new rules, and in the Edit panel for existing rules:

  • Name of the Anti-Malware rule

  • Rule Order to define the priority of the rule (rules that are at the top of the rulebase have a higher priority)

  • Scope to define the scope of the traffic that the Cato Cloud scans for downloaded files (All, WAN, or Internet)

  • Source: to define the source of the traffic for this rule

  • What to apply the action to traffic that matches selected objects

  • Verdict to select types of files the rule is applied to (All files, Suspicious, Malicious, or Encrypted)

  • Action to select whether the rule will Block or Allow files that match

  • Track options to define when a rule generates an Event and sends an Email Notification for matching traffic

To add rules to customize the Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware

  2. Click New.

    The New panel opens.

  3. Enter the Name for the rule.

  4. Use the slider to enable (green) or disable (gray) the rule.

  5. By default, the Rule Order is assigned in sequential order with the new rule at the bottom of the rulebase. You can change the order when creating the rule or directly in the rulebase table.

  6. Configure the Scope of the traffic for this rule: All, WAN, or Internet,

  7. In the Source section, search or select one or more object types .

  8. Define What the rule applies to. For example, a service, an application, a custom or predefined category.

  9. Configure the Verdict of the scan that this rule blocks or allows. Options are: All files (the default value), Suspicious, Malicious, or Encrypted.

  10. Expand the Actions section for the rule.

    1. Click Actions and select Block or Allow.

    2. (Optional) Configure tracking options to generate Events and Send Notification.

      For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.

  11. Click Apply.

    The rule is added to the Anti-Malware policy.

  12. Click Save.

    The rule is saved.

Managing the Anti-Malware Policy

This section explains how to manage the rules in the Anti-Malware policy, including: changing the rule priority, enabling, and deleting rules.

Changing the Rule Priority

Change the priority of a rule to determine when the rule action is applied to a matching file. Rules are applied sequentially to each file,so once a file matches a rule, the rules with lower priority aren't applied to it.

Explaining the Anti-Malware Fields and Settings

This section explains the different settings in the Anti-Malware rulebase. The Verdict and Tracking settings are applied to both the Anti-Malware and NG Anti-Malware protection layers. For a Verdict that is Suspicious, this settings are only relevant to the NG Anti-Malware protection layer. These are the available actions for a file:

  • Block - Blocks and file and prevents a user downloading it to the local host or device.

    Files that match the Block action are deleted immediately.

  • Allow - The identified file is allowed to continue to the destination with no action taken.

Use the Tracking option to generate events and email notification alerts for files that are identified by the Anti-Malware and NG Anti-Malware layers. To monitor activity of the Unified Anti-Malware policy, create an allow rule with Tracking option to generate events.

For each of the actions that are available in the more icon, you need to save the changes after the action. For example, after you disable or delete a rule, you then need to save the changes to the Anti-Malware policy.

Item

Description

Name

Enter a Name for the rule.

Scope

Traffic that this rule applies to: All, WAN, or Internet.

Source

Source of the traffic for this rule. Objects and settings include: Floating Subnet, Global Range, Group, Host, Interface Subnet, IP, IP Range, Network Interface, Site, System Group, User, SDP User, or Any.

What

Only apply the action to traffic that matches objects for: Applications (HTTP(S) and FTP), Application Categories, Custom Applications, Custom Categories, Custom Services (HTTP(S) and FTP), Domain Names, FQDN, Services, or Any

Verdict

Only apply the action files with the specific scan verdict (results): Malicious, Suspicious, Encrypted or All Files.

Action

Apply the allow or block action to files that match the rule.

More_icon.png

These actions are available in the more icon for each rule:

  • Add Rule Above - add a new rule before the selected rule

  • Add Rule Below - add a new rule after the selected rule

  • Disable or Enable the selected rule

  • Delete Rule - Delete the current rule that is enabled, and then there is a confirmation pop-up window

Creating an Exception for a File

Sometimes there is a file blocked by the Anti-Malware engines that you know is safe, and you need to allow it in the network. The Events page lets you use the file hash to create exceptions for the Anti-Malware and NG Anti-Malware engines. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel to add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.

File Exceptions for Anti-Malware and SaaS Security API

File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the SaaS Security API Threat Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the SaaS Security API Threat Protection page.

To create an exception for a file:

  1. From the navigation menu, select Monitoring > Events.

  2. Filter for the Anti-Malware event.

  3. From the Time column, expand the event.

  4. In the event, click the File Hash link.

    The Exception Configuration panel opens.

    exception_configuration.png
  5. From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.

    To create a permanent exception, select Forever.

  6. Click Apply.

    The exception is created and added to the File Exceptions section in the Anti-Malware Protection Policy and the Threat Protection tab in the SaaS Security API page.

    AM_FileExceptions.png

Removing a File Exception

Remove an exception for the Anti-Malware policy when it is no longer necessary.

To remove file exceptions for the Anti-Malware policy:

  1. From the navigation menu, click Security > Anti-Malware.

  2. Select the Protection Policy tab.

  3. In the File Exceptions section, click Delete.png for the exception you want to remove.

  4. Click Save.

    The exception is removed.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment