This article provides a general overview of the Cato Anti-Malware policy for the Anti-Malware and Next Generation (NG) Anti-Malware engines. For more about customizing the policy, see Configuring the Anti-Malware Policy.
The Cato Anti-Malware security policy provides two layers of protection to prevent malicious files from entering your network: Anti-Malware and NG Anti-Malware. Both layers simultaneously scan files that arrive from WAN and Internet traffic.
- The Anti-Malware layer protects against malware threats based on known file signatures and through heuristic analysis.
- NG Anti-Malware is a second layer that is based on machine learning malware detection technology and uses predictive models to classify files as benign, suspicious, or malicious. This layer scans the file and looks for characteristics that indicate if the file is malicious. These models are able to detect unknown and zero-day malware.
The Anti-Malware and NG Anti-Malware engines inspect connections sequentially, checking to see if the traffic matches a rule. The final rule in the rulebase is an implicit ANY - ANY Block rule - so if the traffic does NOT match a rule, then the file is automatically scanned. The final rules in the rulebase are default ANY - ANY Block rules for Malicious and Suspicious files - so for traffic that does NOT match a rule, the file is automatically scanned, and files with these verdicts are blocked.
You can review the default rule settings in the Default Rules section at the end of the rulebase. These rule settings can't be edited.
Rules that are at the top of the rulebase have a higher priority because they are applied to connections before the rules lower down in the rulebase. For example, if a connection matches rule #2, the action is applied to the connection, and the Anti-Malware or NG Anti-Malware engines ignore rules #3 and below.
The Anti-Malware engine scans each downloaded file for a unique signature and compares that signature to a database of known malicious files. The database is updated every 30 minutes with new file signatures. This engine also uses heuristic analysis to examine the source code and compare it to known viruses. If the code matches code from other viruses, then the file is identified as malicious. This layer is the primary threat protection against malware.
Cato implements the SentinelOne NG Anti-Malware engine to provide a second layer of threat protection. This engine uses an AI model that detects threats in portable executable files, PDFs, and Microsoft Office documents. The AI model is developed by extracting features from millions of malware samples in the malware repository. Then, Supervised Machine Learning (SML) is used to identify and correlate different features of benign and malicious files. The engine then uses this model to identify similar features in unknown files, which are classified as:
- Malicious file - Most certainly malware
- Suspicious file - The file or behavior displays traits associated with malware, but does not have sufficient confidence or data to definitively classify it as benign or malicious.
- Benign file - Contains characteristics of safe files and is very likely not malware
Note
Note: The AI model for the NG Anti-Malware engine lets it detect unknown malware. However, it's possible that in rare cases this model produces a false-positive and blocks a legitimate file. You can create an exception and allow users to access and download the file, see Configuring the Anti-Malware Policy.
Since the NG Anti-Malware engine is based on an algorithm and doesn't use signature-based detection, it doesn't require high-frequency updates. The engine's algorithm is updated every few months.
This section explains how files are simultaneously scanned by both the Anti-Malware and NG Anti-Malware protection layers when using the default policy.
When using the default policy, the Anti-Malware and NG Anti-Malware engines scan all downloaded files at the same time and block any file that is classified as malicious or suspicious. If a file download request is blocked, the file is discarded, and an event is generated. If a file is blocked by both engines, then it's possible that two events are generated.
The Anti-Malware and NG Anti-Malware engines scan HTTP, HTTPS, and FTP traffic.
Based on the default policy, when an end-user starts the process to download a file from the Internet or the WAN, this is the behavior of each engine when they simultaneously scan the files:
-
The Anti-Malware engine scans the file and uses file signatures and heuristic analysis to determine if the file is Malicious or Benign.
- If the verdict is Malicious, the file is blocked, deleted, and an event is generated. The Block page is shown in the user's Internet browser.
- If the verdict is Benign, the file is potentially available for downloading.
-
The NG Anti-Malware layer scans the file and uses an AI model to classify the file as Malicious, Suspicious, or Benign.
- If the file is malicious or suspicious, it's blocked, deleted, and generates an event. The Block page is shown in the user's Internet browser.
- If the verdict is Benign, the file is potentially available for downloading.
Note
Note: Scanned files are deleted and are not retained by Cato for all verdicts.
The file is allowed to continue to the user when both engines have a verdict of Benign, then events are generated with verdict clean.
The unified Anti-Malware scan doesn't create a noticeable delay for the user experience. End-users download clean files right away.
The Anti-Malware and NG Anti-Malware engines support specific file formats. For more information, see Supported File Formats for Anti-Malware Protection. (You must be signed in to view this article)
0 comments
Please sign in to leave a comment.