What is the Cato Anti-Malware Policy?

This article provides a general overview of the Cato Anti-Malware policy for the Anti-Malware and Next Generation (NG) Anti-Malware engines. For more about customizing the policy, see Configuring the Anti-Malware Policy.

Overview of the Anti-Malware Policy

The Cato Anti-Malware security policy provides two layers of protection to prevent malicious files from entering your network: Anti-Malware and NG Anti-Malware. Both layers scan files that arrive from WAN and Internet traffic.

  • The Anti-Malware layer protects against malware threats based on known file signatures and from a heuristic analysis.

  • NG Anti-Malware is a second layer that is based on machine learning malware detection technology and uses predictive models to classify files as benign, suspicious, or malicious. This layer scans the file and looks for characteristics that indicate if the file is malicious. These models are able to detect unknown and zero-day malware.

Working with an Ordered Anti-Malware Rulebase

The Anti-Malware and NG Anti-Malware engines inspect connections sequentially, checking to see if the traffic matches a rule. The final rule in the rulebase is an implicit ANY - ANY Block rule - so if the traffic does NOT match a rule, then the file is automatically scanned. The final rules in the rulebase are default ANY - ANY Block rules for Malicious and Suspicious files - so for traffic that does NOT match a rule, the file is automatically scanned, and files with these verdicts are blocked.

You can review the default rule settings in the ​Default Rules​​ section at the end of the rulebase. These rule settings can't be edited.

Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches on rule #2, the action is applied to the connection and the Anti-Malware or NG Anti-Malware engines ignore rules #3 and below.

Understanding the Anti-Malware Engine

The Anti-Malware engine scans each downloaded file for the unique signature and compares that signature to a database of known malicious files. The database is updated every 30 minutes with new file signatures. This engine also uses heuristic analysis to examine the source code and compare it to known viruses. If the code matches code from other viruses, then the file is identified as malicious. This layer is the primary threat protection against malware.

For more information about the supported Anti-Malware file types and requirements, see below, Anti-Malware File Requirements.

Understanding the NG Anti-Malware Engine

Cato implements the SentinelOne NG Anti-Malware engine to provide a second layer of threat protection. This engine uses an AI model that detects threats in portable executable files, PDFs, and Microsoft Office documents. The AI model is developed by extracting features from millions of malware samples in the malware repository. Then, Supervised Machine Learning (SML) is used to identify and correlate different features of benign and malicious files. The engine then uses this model to identify similar features in unknown files, which are classified as:

  • Malicious file - Most certainly malware

  • Suspicious file - Suspected of being malware, with a low confidence detection

  • Benign file - Contains characteristics of safe files and are very likely not malware

Note

Note: The AI model for the NG Anti-Malware engine lets it detect unknown malware. However, it's possible that in rare cases this model produces a false-positive and blocks a legitimate file. You can create an exception and allow users to access and download the file, see Configuring the Anti-Malware Policy.

Since the NG Anti-Malware engine is based on an algorithm and doesn't use signature-based detection, it doesn't require high-frequency updates. The engine's algorithm is updated every few months.

For more information about the NG Anti-Malware see below, NG Anti-Malware File Requirements.

Scanning Files with Anti-Malware Layers

This section explains how files are scanned by both the Anti-Malware and NG Anti-Malware protection layers when using the default policy.

The default policy scans all downloaded file, and blocks any file which is classified as malicious or suspicious. If a file download request is blocked, it is discarded and an event is generated.

The Anti-Malware and NG Anti-Malware engines scan HTTP, HTTPS, and FTP traffic.

This is a sample workflow of an end-user attempting to download a file:

  1. An end-user starts the process to download a file from the Internet or the WAN.

  2. The Anti-Malware layer scans the file and uses file signatures and heuristic analysis to determine if the file is malicious or benign.

    • If the file is malicious, it's blocked, deleted, and an event is generated. The Block page is shown in the user's Internet browser.

    • If the file is benign, it's sent to the next layer.

  3. The NG Anti-Malware layer scans the file and uses an AI model to classify the file as Malicious, Suspicious, or Benign.

    • If the file is malicious or suspicious, it's blocked, deleted, and generates an event. The Block page is shown in the user's Internet browser.

    • If the file is benign, it's allowed to continue to the user, and generates an event with verdict clean.

    The unified Anti-Malware scan doesn't create a noticeable delay for the user experience. End-users download clean files right away.

Anti-Malware__1_.png

Information Regarding Supported Files for Anti-Malware

This section lists the supported file types and requirements for the Anti-Malware and NG Anti-Malware engines.

Note

Note: There is a file size limitation for files types scanned by either the Anti-Malware or NG Anti-Malware layers. Other than the file types scanned by these layers, larger files are allowed into the network.

Anti-Malware File Requirements

The maximum supported file size for the Anti-Malware layer is 20 MB.

The Anti-Malware scans these file types:

  • APK

  • Archives (ZIP, 7ZIP, TGZ, RAR, ARJ, ARC, ZOO)

  • BAT

  • BIN

  • CAB

  • Calendar (ICS, IFB, iCalendar)

  • CMD

  • CRX

  • CSV

  • DEB

  • DLL

  • DMG

  • EXE

  • FLASH (SWF)

  • Fonts (EOT, WOFF, WOFF2)

  • HTA

  • JAVA (JAR, CLASS)

  • MACH-O

  • Microsoft Office (DOC, DOCx, PPT, PPTx, XLS, XLSx)

  • MS-Access (ACCDB)

  • MSI

  • OFT

  • PDF

  • PKG

  • PS1

  • PY

  • RTF

  • SH

  • SVG

  • Torrent

  • VB-Scripts

NG Anti-Malware File Requirements

The maximum supported file size for the NG Anti-Malware layer is 10 MB.

The NG Anti-Malware layer scans these file types:

  • EXE, MacOS, BIN, MSI, ZIP, TAR, RAR

  • OLE (.doc, .ppt, .xls)

  • OpenXML (.docx, .pptx, .xlsx)

  • Win32 portable executable

Was this article helpful?

3 out of 3 found this helpful

0 comments

Add your comment