Content Analysis System Guide

(1)

(2)

(3)

Third Party Copyright Notices

© 2014 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, CONTENT ANALAYSIS SYSTEM, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only.

BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND

REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT,

TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas:

Blue Coat Systems, Inc. 420 N. Mary Ave.

Sunnyvale, CA 94085

Rest of the World:

Blue Coat Systems International SARL 3a Route des Arsenaux

(4)

The Content Analysis System (CAS) is Blue Coat's next-generation anti-virus, malware, and spyware management sys-tem. As with the ProxyAV appliance, CAS provides Blue Coat's world-class virus scanning and integration with your ProxySG appliance appliance infrastructure. CAS also provides new functionality.

l Anti-virus, malware, and spyware scanning with one or multiple simultaneous anti-virus vendors. (Malware and

spyware scanning functions are dependent on the licensed AV vendor.)

l The File Whitelisting feature uses a classification system to identify files that appear to be suspicious, but are

known to be good. File Whitelisting also provides an option for identifying specific files, hosts, and destination addresses to prevent delays with known-good (yet suspicious) elements.

l Sandbox integration with Blue Coat's Malware Analysis or FireEye. When a suspicious file is found to not be a

virus and is not in the whitelist database, the CAS sends the file to an external appliance to run the file in a virtualized workstation environment. The actions of the suspicious file, (registry edits, requests to malicious web sources) are identified and included in a detailed report sent to the CAS administrator, who performs appropriate actions.

l In busy network environments, anti-virus scan result caching improves the performance of live scanning. l WebPulse reporting of malware on ProxySG appliance appliances deployed with a CAS appliance.

1. A user in the protected network requests a file from the Internet.

(9)

database on the appliance. If the domain hosting the file has been categorized as a malware source, the file download is denied and the user is notified. If the domain is not recognized, the ProxySG forwards it to the CAS for analysis.

3. The CAS compares the file details against the whitelist. If the file is in the whitelist, scanning is suspended and the file is sent to the user.

4. If no match is found, the file is compared against the virus scan cache.

5. If the file has not been scanned before, the available anti-virus engines scan the file.

6. If the file is of a type defined in the Sandboxing list, it is forwarded to a sandbox appliance, (if configured). 7. If another user requests the same file, the ProxySG will use the cached entry it as bad, based on the scanning

(10)

Content Analysis System Hardware and Software Requirements

The Content Analysis System hardware and software requirements listed below are valid as of the publishing of this guide. For the most current list, refer to the release notes for the Content Analysis System release operating on your appli-ances.

Supported Hardware Platforms

CAS is supported on the following platforms:

l S400-A1 l S400-A2 l S400-A3 l S400-A4

Supported SGOS Software Versioins

The Blue Coat CAS supports only the Blue Coat ProxySG appliance as an Internet Content Adaptation Protocol (ICAP) client.

While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scan-ning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS 6.5.1 or higher, and arbit-rary ICAP header parsing requires SGOS 6.5.2.1. Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS 6.5.2 or higher.

Supported Browsers

The Content Analysis System Management Console supports the following web browsers:

l Microsoft Internet Explorer, version 9.x, 10.x l Mozilla Firefox, version 2.x,3.x

l Google Chrome

(11)

Set Up the Appliance with the Command Line Interface

Use the Content Analysis System Command Line Interface (CLI) to initially configure the appliance, upload support inform-ation, and to view the appliance status and configuration. The appliance accepts CLI commands through a serial console connection (Secure Shell (SSH v2), which is located on the back of the appliance.

SSH access to the appliance is enabled by default.

1. Connect to the appliance through the Serial Console connection at the rear of the appliance. 2. Launch a terminal application, such as hyperterm. Enter the following connection settings:

BPS: 9600 Data bits: 8 Parity: none Stop bits: 1

Flow control: none

3. To start the initial configuration wizard, select Initial Setup. This wizard prompts you to define the following settings: IP Address Subnet Mask Default Gateway DNS Server Alternate DNS Server Administrator Password

(12)

Log In or Log Out of the CAS

The Logout link displays when you click the down arrow next to the admin login name on the Management Console ban-ner, as shown below.

To log out, click Logout. You are logged out and a message confirming the logout displays.

If you have disabled authentication, thelogout link does not display in the Man-agement Console banner.

Log In to the Content Analysis System

By default, the Content Analysis System appliance challenges both administrative users and read-only users for their log-in credentials before permittlog-ing access to the Management Console. As a best practice, Blue Coat recommends that you log out of the appliance after completing your tasks in the Management Console.

(13)

Install the Appliance License

The Content Analysis System appliance requires a license to operate. The license activates the default components, plus any additional features that you purchased from Blue Coat.

First time access

When you log in to the appliance for the first time, the interface displays the Invalid or Missing License dialog.

Perform the steps below to install the license as appropriate for your deployment method.

The CAS is connected to the Internet

If the CAS appliance is connected to the Internet, retrieve the license directly from Blue Coat and install it. 1. In the CAS appliance interface, select System > Licensing.

2. Click Download License from Blue Coat.

The appliance confirms the download and installation. 3. Proceed to"Activate Licensed Components" on page 14.

The CAS is in a closed network

If the CAS appliance cannot connect directly to the Internet, you must download the license file and install it manually. This task requires your BlueTouch Online (BTO) account credentials.

1. From a system/client that has Internet access, proceed tohttps://bto.bluecoat.com/licensing. a. Enter your BTO credentials.

b. Navigate to your CAS appliance entitlement and download the license file.

(14)

Activate Licensed Components

Licensed Components can be managed in System> Licensing.

All software components used by the Content Analysis System appliance require a license to operate. After completing the license retrieval task (see"Install the Appliance License" on page 13), review the default and entitled components and enable as required.

1. Select System > Licensing.

The Licensing Activation section of this page contains the following columns:

l Active: This column informs you of the activation status of a given component. l Component: The name and version number of the anti-virus application.

l Status: The status of the anti-virus application (Active or Available) and the date and time the license

expires.

(15)

The CAS Home Page

Access the Content Analysis System appliance home page by browsing to https://1.2.3.4:8082 (replace 1.2.3.4 with the IP address of your CAS appliance).

This page displays the current Blue Coat Content Analysis System content scanning and network statistics.

System Health

Displays the current health of the system, specifically the amount of time the service and system have been up, the sys-tem's current activity, the AV vendor used on the system, the term of the license, and the date of the patterns installed on the system.

Scanned Statistics

Displays the number of files scanned and malware caught for plain and Secure ICAP.

Traffic Statistics

Displays the network traffic statistics and appliance MAC addresses. Information is segregated by Terabytes (TB), Giga-bytes (GB), MegaGiga-bytes (MB), KiloGiga-bytes (KB), and Bytes. Also provides the volume of traffic processed per second. To reset the traffic statistics click Reset All Historical Stats or Reset Interface Stats. This resets the data counter to 0.

(16)

Route Traffic to Alternate Networks

Network Route configuration is available in Settings > Network Routes.

For deployments where the default gateway configured on the Content Analysis System does not route traffic to all seg-ments of the network, you can define additional routes . A typical use for the route table is when the SMTP or DNS servers to be used by the CAS appliance are located on an internal network.

Routes added here do not affect traffic that is scanned by the appliance; they are only used for connections where the CAS appliance is the client. Examples of this include updates of pattern and engine files, checking for updates to the CAS firmware, and sending alerts.

To add a route to the table:

1. Identify the network interface that will be used to route traffic to the alternate subnet. 2. Select Settings > Network Routes.

3. Click Add.The Add Network Route dialog displays.

4. Destination: Enter the network address for the alternate network. 5. Mask: Enter the subnet mask for the alternate network.

6. Gateway: Enter the IP address for the gateway that will route traffic to the alternate network. 7. Click Add.

8. Click Save Changes.

(17)

Proxy the CAS Through a Gateway Device

If your network requires all users and servers to connect through a proxy to access Internet resources, you must configure the CAS appliance proxy server settings so that Internet-bound traffic is sent to the ProxySG appliance or other proxy server.

1. Select Settings > Proxy.

2. Enter the Server IP address or hostname and Port for your ProxySG appliance. 3. Enter the proxy authentication Username and Password, if required.

(18)

Identify the CAS Appliance

The Content Analysis System appliance name is given when alerts are sent out to recipients, plus in other elements such as the CLI prompt and SNMP logs.

1. Select System > Identification.

2. Enter a unique Appliance Name, which is crucial for easier multi-device management. Consider using a geographic or other location-based name.

3. The Administrator Email identifies the main communication recipient for this CAS appliance. For example, if an alert is sent that mentions contacting the CAS appliance administrator, this address is given.

(19)

Set the Date/Time Manually

Date and Time configuration is available in Settings > Date Time.

The Content Analysis System uses the date and time settings to record events on the appliance and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file.

By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to manually set the date and time on the appliance, do the following:

1. In Date Settings, select the date.

(20)

Synchronize the System Clock

NTP configuration is available in Settings > NTP.

The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or ref-erence time source, such as a radio or satellite receiver or modem. The Content Analysis System ships with a predefined list of Blue Coat NTP servers, and attempts to connect to them in the order they appear in the NTP server list. If the Blue Coat NTP servers aren't accessible to your CAS appliance, if you want to use an internal server, or if your organization has standardized on a particular NTP server for all network equipment, you can define other NTP servers. In addition, you can reorder the servers to give a specific NTP server higher priority over others.

Use the options on this page to have your CAS synchronize with Network Time Protocol (NTP) servers.. To configure NTP

1. Select Settings > NTP.

2. Make sure Enable usage of NTP on device is enabled.

3. Add an NTP server by clicking Add NTP Server. The Add NTP Server dialog displays

4. Define your preferred NTP server by IP address or hostname and click Add. Blue Coat's NTP server addresses are ntp1.bluecoat.com and ntp2.bluecoat.com.

5. (optional) Repeat the process if your organization has multiple NTP servers. 6. Click Save Changes.

7. Click Acquire Time Now (at the top of the page) to force the appliance to synchronize the system time with the configured NTP server.

(21)

Set the Timezone

Use Timezone to use local time instead of UTC time in recording events.The Content Analysis System uses the date and time settings to record events on the appliance and to track engine file updates. Some AV engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining the most current version of the pattern file.

By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you prefer to use the local time instead, configure the appliance to use local time:

1. Select Settings > Timezone.

2. Select your time zone region from the Time Zone Region drop-down list. 2. Select your local time zone from the Time Zone drop-down list.

(22)

Prepare the Appliance to Scan Data

Before the CAS appliance can scan traffic from a ProxySG appliance, it must be configured to accept traffic. The topics in this chapter will help you to ready the CAS to receive traffic to be scanned.

Change the Default ICAP Server Ports 24

Define File Type Policy 25

Set AV Scanning Options 27

Establish ICAP Connections Between the ProxySG and the CAS 30

Configure ICAP Exception Policies 31

Troubleshoot ICAP Errors 34

Enable Secure ICAP Connections 36

Allow Trusted File Execution (Whitelisting) 39

About Whitelisting 40

Isolate and Analyze Suspicious Files 41

(23)

(24)

Change the Default ICAP Server Ports

ICAP Server Ports can be configured from Settings > ICAP.

By default, the Content Analysis System appliance receives data from the ProxySG appliance through an Internet Con-tent Adaptation Protocol (ICAP) connection. All CAS appliance models support up to 250 simultaneous

(25)

Define File Type Policy

You can configure how the Content Analysis System appliance reacts when specific file extensions or file types are sent received over ICAP from a ProxySG appliance. File Extensions policy applies to all anti-virus vendors. If you employ Kaspersky or Sophos, you can configure additional Ignore, Scan, and Block policy fortypes of data.

File Extensions

The Content Analysis System scans original files and files within an archive. You can specify file types that are blocked— neither scanned, nor served to the client (deny)—or served to the client unscanned (allow). Checks are performed on the ori-ginal file and files inside an archive.

To prevent overhead on the Content Analysis System, you can create policy on the ProxySG appliance to restrict spe-cified file extensions from being sent to the Content Analysis System for scanning. For more information, see Malicious Content Scanning Services in the Blue CoatProxySG Configuration and Management Guide.

To specify blocked or passed-through file types:

1. Select Services > AV File Types. The interface displays the Scanning Behavior . 2. Under File Extensions, enter file types as appropriate:

a. List files extensions to block—Any file types with these extensions are blocked and not served to the client.

b. List file extensions that do not need to be scanned—Any file types with these extensions are passed to the user, unscanned. If you enable this option, consider the Blue Coat advisory that viruses and other malicious code can be embedded in many file types, including image formats. Use a comma or semicolon as a delimiter to separate file types. For example: .gif; .tif.

Known File Type Management (Kaspersky or Sophos)

In addition to the manual file extensions lists, the CAS appliance can, depending on the anti-virus vendor, apply specific rules, (Ignore, Scan, Block) to specific types of data. This feature is only available if your appliance is licensed to use either the Kaspersky or Sophos AV engine. Instead of simply examining the file extension associated with each file, the appliance examines the apparent data type to determine the correct type of file.

Apparent Data Types allow the CAS appliance to identify data content using the actual file signature and information in the HTTP header rather than by file extensions. For example, it can identify graphics (such as JPG and GIF files), documents, archives, executables, encodings, media, and macros. The appliance also recognizes all files within an archived or com-pound Microsoft file.

If an individual file in a compound file is specified to be blocked, the entire compound file is blocked. For example, if a zip file contains Word files and JPG files and by policy Word files are allowed while JPG files are blocked, the entire zip file would be blocked.

To specify apparent data types and actions for each type:

1. In the Global Options field, select Apply Global Options before Sending to Antivirus Engines. This option applies your selected actions against the most common file types.

2. Click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on.

n Ignore—The file is served back to the ProxySG without being scanned by the Content Analysis System

(26)

n Block—No scanning occurs and the Content Analysis System appliance returns a response to the

ProxySG appliance that the file was blocked (code type: file_type_blocked).

n Scan—The appliance scans the object for malicious content and returns the content or modified response to

the ProxySG appliance

3. For each configured vendor, determine whether to apply Global Options or to use vendor-specific options. To use vendor-specific options, click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on. If you choose to use the unique file options for a specific anti-virus vendor, check the appropriate box or the actions will be ignored.

4. (Optional) Sophos only—Select Detection of weak types to enable recognition of file types that otherwise might be difficult for the Content Analysis System appliance to identify with 100 percent confidence.

(27)

Set AV Scanning Options

AV Scanning Option configuration is available in Services > AV Scanning Behavior.

Step 1: Configure the CAS to return cached responses.

Selecting Enabled configures the CAS to return cached responses to the ProxySG appliance when applicable. If the hash of the data matches a file that the CAS has already determined to be clean or contain a virus, it returns the cached

response. This option allows the appliance to learn about traffic patterns on your network and adjust accordingly.

Step 2: Set the maximum file size.

An individual file size cannot exceed the specified size, 5120 MB. This limitation also applies to each file within an archive.

Step 3: Configure policies for anti-virus exceptions.

These options define how the CAS behaves when a scanning timeout or a scanning error occurs.The behavior is as fol-lows:

n Block—If selected for an error type, the file is dropped

n Serve—If selected, the file is passed to the client, unscanned.

The default for all options is Block.

The supported scanning errors for different AV vendors are described in the following table.

Error

Description

Vendors

File scanning timeout

The time required to scan the file exceeds the specified or appli-ance limit.

Kaspersky McAfee

Sophos Maximum individual

file size exceeded

A file size exceeds the specified or maximum appliance limit. Kaspersky McAfee Sophos Maximum total

uncompressed size exceeded

An uncompressed file size exceeds the specified or maximum appli-ance limit.

Kaspersky McAfee Sophos Maximum total

num-ber of files in archive exceeded

An archive contains more files than the specified or maximum appli-ance limit. Kaspersky McAfee Sophos Maximum number of archive layers exceeded

An archive contains more archive layers than the specified or max-imum appliance limit. This option is only supported by Kaspersky and McAfee. Sophos generates an anti-virus engine error, which is categorized by the Other errors policy option

Kaspersky McAfee

Decode/decompress error

An error occurred during decoding or during decompression of a compressed file. For example, a corrupted file or a method used to decompress the file is unsupported.

Kaspersky McAfee Sophos Password protected

Error

Description

Vendors

Out of temporary storage space

The CAS buffer capacity for files to be scanned is full. Kaspersky McAfee Sophos Other errors Any miscellaneous error that causes irregular behavior. Kaspersky

McAfee Sophos

Step 4: Specify vendor-specific options.

Set the following vendor-specific options:

n Engine Settings n File Scanning Timeout n File Size/Count Limitations

Engine Settings

The following table describes the vendor-specific engine settings.

Option

Vendors

Default

Notes

Detect Spy-ware Kaspersky McAfee Sophos Disabled Enabled Disabled

Detect Adware Kaspersky Disabled Detect Adware is disabled by default. It can be deselec-ted, but it cannot be selected without selecting Detect Spyware.

Enable Anti-virus engine heuristic

Kaspersky Disabled This option enables the appliance to catch potential vir-uses for which pattern signatures might be unavailable.

Because the Kaspersky anti-virus engine heuristics option requires additional system resources, Blue Coat recommends that you verify that CPU usage is within the normal operating range for the appliance before

enabling heuristics.

Note: Do not enable Kaspersky heuristics if the current CPU utilization is in a Warning or Critical

state. Detect Poten-tially Unwanted Applications (adware)

(29)

Option

Vendors

Default

Notes

Use Sophos Weak Types

Sophos Disabled

File Scanning Timeout

File scanning timeout is the maximum length of time the file is scanned by the CAS appliance. When the timeout value is reached, the scan is abandoned.Some files, though not viruses themselves, are designed to disable a virus scanner. Although these files cannot disable a CAS appliance, they could use up system resources and slow down overall through-put. Defining a timeout value allows the appliance to reclaim system resources. The default is 800 seconds; a value between 10 and 3600 seconds (60 minutes) is valid.

File Size/Count Limitations

Maximum Total Uncompressed Size: This option is included in the vendor-specific settings. An uncompressed file or archive cannot exceed the specified size (MB). The maximum is 5120.

Maximum Total Number of Files in Archive: This option is included in the vendor-specific settings. An archive cannot contain more than the specified number of files.

Maximum Archive Layers: This option is included in the vendor-specific settings. An archive is a file containing multiple files and a folder structure. It cannot contain more than the specified number of layers (directories). The maximum is:

n McAfee: 300 n Sophos: 100 n Kaspersky: 40

If any of these options are exceeded, the object is not scanned. After completing these steps, click Save Changes.

(30)

Establish ICAP Connections Between the ProxySG and the CAS

Before your Content Analysis System appliance (CAS) can handle traffic, you must configure your ProxySG appliance to send traffic to it.

Traffic is sent using the Internet Content Adaptation Protocol (ICAP). When a user requests content from the Internet, it is forwarded to the CAS appliance for processing. The data is first compared against the file whitelist, then scanned for vir-uses with the vendors you have configured on the appliance. If the file does not match any known viral signatures, but appears to be a suspicious executable file, the CAS appliance forwards that file to a sandbox, where it is executed and monitored to determine what type of threat (if any) the file poses to the user and the network.

While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS 6.5.1 or higher, and arbitrary ICAP header pars-ing requires SGOS 6.5.2.1. Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS 6.5.2 or higher.

(31)

Configure ICAP Exception Policies

Whether you've used an automatic ICAP configuration with Malware scanning or a manual configuration with an ICAP request modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category or file type is trusted, you may decide not to have that traffic scanned. The examples provided in this topic detail the steps to configure the most common types of ICAP exemptions.

If you are using the Malware Scanning configuration, add a new Web Content layer from the Policy menu, label it ICAP Scan and proceed with the steps below. If you have configured a manual ICAP scan policy instead, the proceeding policies must be positioned above your existing ICAP scan rule.

Exempt a domain from ICAP scanning

1. Add a new rule in the ICAP Scan policy layer and position it above the ICAP scan rule you created in the preceding section.

2. Right-click the action field in this rule. Click New > Set ICAP Response Service. 3. Name the new object DoNotScan and select Do not Use any ICAP response service.

4. Click OK, and OK.

(32)

Close, OK and Install Policy.

Exempt a category from ICAP Scanning

Because some media streams come without end, sending those streams to an ICAP appliance for scanning can lead to delays in processing other traffic. As a best practice measure, follow these steps to defer the streaming media category from being ICAP scanned.

2. Right-click the destination field in this new rule, click Set > New > Request URL Category.

Extend the Blue Coat categories list , select TV/Video Streams. Name the object TV/Video Stream Category. 3. Click OK, OK, and Install Policy.Show Screen

Use policy to react to specific ICAP scan results

SGOS 6.5.2.1 introduced the option to define policy to take action based on the results of ICAP scanning. See the

Troubleshoot ICAP Errorstopic for the available policy triggers. In this example, we want to allow users to download archive files such as zip, rar or, gz, if they are password protected and from a trusted domain.

To take action on ICAP scan results, your ICAP request modification rule (or Malware Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to be able to take action on a given request.

1. Add a new Web Access Layer and name it ICAP Error Actions.

2. In the Edit menu, select Reorder Layers. Position the ICAP Error Actions layer below your ICAP Scan layer. 3. Right-click the destination field, click Set > New > Request URL.

4. Enter the domain name of the URL in question. In this case, we'll use www.example.com. Click Add, Close, and OK.

(33)

(34)

Troubleshoot ICAP Errors

ICAP error codes are available as objects in policy for the Content Analysis SystemICAP server only and are useful for creating policy that is flexible and granular. SGOS 6.5.2 introduced policy actions to react to the results of an ICAP scan. See theICAP Policytopic for an example on working with the response codes below in policy.

The following table lists common ICAP errors that are generated by the Content Analysis System: ICAP Error Codes Available in Policy

ICAP Error Code

VPM Object Name Description

Anti-virus Engine Failure

Anti-virus Engine Failure

The ICAP appliance was unable to load the configured anti-virus scanning engine.

Anti-virus License Expired

Anti-virus License Expired

The anti-virus license on the ICAP device has expired. Anti-virus Load

Failure

Anti-virus Load Failure

The ICAP device responded to the ICAP request, but was unable to begin the file scan because the service was unavailable.

Connection Fail-ure

Connection Fail-ure

A connection to the ICAP device could not be established.

Decode error Decode Error Error detected during file decom-pression/decoding.

File Extension Blocked

File Extension Blocked

The ICAP device has the requested file extension set to Block.

File Type Blocked File Type Blocked The ICAP device identified the file type from the file's header and found that the detected file type is set to Block. ICAP Connection

Mode Not Sup-ported

ICAP Connection Mode Not Sup-ported

A configuration mismatch has occurred with plain and secure ICAP settings. Verify that your

ICAP appliance and ProxySG appliance ICAP service and policy objects all sup-port the same set of secure and insec-ure connection methods.

ICAP Connection Unavailable

ICAP Connection Unavailable

A connection with the ICAP device could not be established.

ICAP Security Error

ICAP Security Error

(35)

ICAP Error Code

VPM Object Name Description

Internal Error Internal Error The ICAP device reported an unspe-cified error that prevented the file from being scanned.

Password Pro-tected

Password Protected Archive

Archive file could not be scanned because it is password protected. Insufficient

Space

Insufficient Space Indicates that the disk is full. Maximum

Archive Layers Exceeded

Maximum Archive Layers Exceeded

The ICAP device reported that the con-figured maximum layers permitted in an archive file have been exceeded. Max file size

exceeded

Maximum File Size Exceeded

Maximum individual file size to be scanned exceeds settings in con-figuration. The maximum individual file size that can be scanned depends on the RAM and disk size of the ProxyAV model.

Maximum Total Files Exceeded

Maximum Total Files Exceeded

The requested file exceeds the con-figured maximum number of files per-mitted in a single archive file.

Maximum Total Size Exceeded

Maximum total uncompressed file size exceeds settings in con-figuration. The maximum limit var-ies by ProxyAV model.

Request Timeout Request Timeout The requested file failed to load, as the connection with the origin content server timed out.

Scan timeout Scan Timeout Scan operation was abandoned because the file scanning timeout was reached.

The default is 800 seconds.

Server Error Server Error The origin content server responded to the user's request to serve a file with an error.

Server Unavail-able

Server Unavail-able

(36)

Enable Secure ICAP Connections

By default, the Content Analysis System appliance receives data from the ProxySG appliance through an Internet Con-tent Adaptation Protocol (ICAP) connection. This occurs on port 1344, which is thePlain ICAP port. For heightened secur-ity, you can enable a secure connection between the CAS appliance and the ProxySG appliance. Using secure ICAP ensures that no unencrypted HTTPS data can pass between the CAS and the ProxySG.

n If the ProxySG appliance supports only Plain ICAP connections, you cannot

enable secure ICAP.

n After your appliance is configured initially, you must create a new certificate.

The default certificate does not contain information, such as the common name field, that can be validated by the ProxySG appliance. Such information must be resolvable to the CAS appliance hostname or IP address.

Configure the CAS to receive secure ICAP connections.

1. Select Settings > ICAP. 2. Secure the connection.

a. Select secure.

b. The default secure Port is 11344. You can change the port, but be advised that this change must occur on both ends of the transaction: the Content Analysis System and the ProxySG appliance secure ICAP service.

c. Select plain if you want to allow an non-secure, backup connection over the plain port should the

ProxySG appliance not be able to send a secure connection. This might occur if there is a certificate mis-match or other issue on the ProxySG side of the transaction.

3. Generate the secure connection certificate.

a. On the Settings > ICAP page, click Certificate Management. The interface displays the Certificate Management dialog.

(37)

c. Select Custom Parameters. d. Enter the various entity information.

e. Enter a recipient Email, who gets notified upon if there are problems with the certificate.

f. Select a Date Valid until value. Upon this date, the CAS appliance deems this certificate invalid. The ProxySG appliance registers an ICAP service error.

g. Set the Size value, which is ___

h. Click Save Changes to generate the certificate. The certificate file downloads to your default download folder.

i. Click Current Information and Download Public Key to save the certificate file to your local system.

Import the CAS certificate and enable secure ICAP connections between the ProxySG and CAS appliances.

(38)

a. Click Import. The Management Console displays the Import External Certificate dialog. b. Name the CA Cert.

c. Open the CAS appliance certificate in a text editor on your system and copy all text including: ---BEGIN CERTIFICATE---to ---END CERTIFICATE---.

d. Click Paste From Clipboard to add the certificate to the CA Certificate PEM field. e. Click OK to close the dialog; click Apply.

4. Add the certificate to the approval list.

a. Select SSL > CA Certificates > Certificate Lists.

b. Select the AV_Approval CA Certificate list and click Edit.

c. Select your new certificate from the list on the let and click Add>> to add the certificate to this CA certificate list.

d. Click OK ; click Apply.

5. Navigate to External Services > ICAP.

6. Select your CAS ICAP service object in the list and click Edit.

7. Add a check next to This service supports secure ICAP connections.

(39)

Allow Trusted File Execution (Whitelisting)

Whitelisting configuration is available in Services> Whitelisting.

By default, the Content Analysis System scans all files and executables in an effort to protect computers and networks from harmful content. You might determine that some of those files are acceptable and perhaps necessary for your enter-prise. After one initial scan, a hash for good files is added to the file whiltelist, which exempts them from CAS

scanning. The CAS appliance refers to the list of known-good hashes comprising the location and name of the file. If a file matches a hash in the whitelist, the appliance informs the ProxySG appliance that the file is good and the user is permitted to download it. If the file is not on the whitelist and scanning is enabled, the Content Analysis System (CAS ) scans it with the available anti-virus vendors. If a file fails to match any known virus signatures, the appliance sends it to the configured sandbox vendor for final inspection (if sandboxing is configured).

To use whitelisting, you must first activate it in System > Licensing.

About Trust Scores

A Trust Score is a number that represents the file's level of trust from a known and trusted source. The higher the number, the greater the trust. For example:

Trust Score Meaning

0 File is likely malicious

2-3 Gray file (unknown if file is malicious) 7 or above File comes from known trusted source

Seven is the default value for the minimum trusted score and is the best practice value for most deployments. However, you can adjust the trusted score minimum value if your situation dictates it.

1. Select Services > Whitelisting.

2. Enter a number in the Trusted whitelisting score value box. 7 is the default and best practice value for most deployments.

(40)

About Whitelisting

The file whitelist service is a Blue Coat-hosted database of SHA1 file hashes. The hash comprises file names and the URLs on which they are found. When a user requests a file from a Web site, the ProxySG appliance sends it to the CAS via ICAP for scanning. Before it scans the file for viruses, the file's name, URL and other information are evaluated as a hash. That hash is compared against the whitelist database. If the file is in the whitelist database, the service returns a trusted score. If the trusted score is above the threshold defined in the Trusted whitelisting score value option (Ser-vices > Whitelisting), the appliance does not scan the file. As a result, the appliance sends a 200 OK

HTTP ICAP response to the ProxySG appliance and the user is permitted to retrieve the file.

If a file doesn't match the whitelist, it's scanned by the active anti-virus engines. If the file doesn't match any viral sig-natures, but still appears to be suspicious (that is, the file is executable and from an untrusted source), it is sent to a sand-boxing service. The sandsand-boxing service executes the file in an protected virtual instance of Windows XP or Windows 7 to determine what threats are posed. The Blue Coat Malware Analysis Appliance (MAA) returns a threat level score, while the FireEye sandbox appliance simply returns a yes or no response.

That MAA score is then reported to the file whiltelist service on the appliance, which in turn, updates the local database with the file hash and the score.

(41)

Isolate and Analyze Suspicious Files

Sandbox Configuration is available in Services> Sandboxing

When the Content Analysis System appliance detects a suspicious file that's not on the whitelist and doesn't match any known viral signatures, the appliance can forward the file to a sandbox appliance to analyze it. This analysis uses one or more Windows 7 or Windows XP virtual systems to safely execute the suspicious file while the sandbox server monitors the resource changes, (such as the Windows registry, configuration files and services) and the Internet resources it requests.

Depending on the results, the file is either quarantined or released and the appliance sends the system administrator a noti-fication e-mail with the results of the test.

Before using sandboxing,you must first activate it in System > Licensing .

Supported Sandboxing Vendors

Blue Coat uses two sandboxing vendors: Blue Coat Malware Analysis Appliance and FireEye.

You must have already installed the sandboxing server before you can use sand-boxing feature on CAS. Refer to the server's documentation for installation instruc-tions.

These two sandboxing vendors use different methods to evaluate threats:

l The Malware Analysis Appliance analyzes the file and returns a number that represents the level of threat. The

higher the number, the greater the threat. After you assign a threat threshold in sandboxing, the appliance will send an alert every time a threat appears with a number greater to or equal than the defined threshold.

l The FireEye (http://www.fireeye.com/) appliance doesn't use a threat threshold to determine whether a file is

malware. Instead, it returns a Yes or No response ("Yes", this threat is malware). Blue Coat sends an alert on each Yes response.

Configure Sandboxing

1. Select Services > Sandboxing.

2. In the Vendors section, click the Enabled check box next to one or both sandboxing vendors. 3. Optional—To modify a setting (such as the threat threshold), select a vendor and click Edit.

(42)

4. In the File Types section, select the types of files you want to send to the sandboxing server. The file types listed are the ones that most likely need to be sandboxed. Any executable file that does not match a known virus signature or whitelist hash is a candidate for Sandboxing.

5. Under Reporting, in the Time Window tab, type the minutes before and after a sandboxing event that are to be captured in the report. An "event" occurs when the sandbox indicates that a file being sandboxed is likely malicious. This setting applies to both Solera and Blue Coat Reporter reports.

6. To enable Blue Coat reporting,do the following:

Blue Coat reporting, using Reporter, helps you begin research on items that are believed to be malicious. If it is malicious, you are immediately notified.

a. Select the Blue Coat Reporter tab.

b. Click the Enabled check box to enable Blue Coat Reporting.

c. Enter the following data to enable communication with your installation of Blue Coat Reporter:

l Server IP address l Username

l Password l Database Name l User Role

l Label—The label appears on the Blue Coat reporting system and will be the name of the report when

retrieved from the e-mail link

7. If you have a Blue Coat Security Analytics Platform appliance and want to enable Sandbox reporting,do the following:

You must have Blue Coat Security Analytics Platform installed and configured before you can integrate it with sandboxing. The alert mechanism you have chosen for sandboxing alerts will contain a link to the report. Due to the

dynamic nature of this report, and the time taken to collect data, you may need to visit this report multiple times to get the full report.

a. Click the Security Analytics Platform Reporting tab. b. Click the Enable Report check box.

c. Enter the following:

l Server:Enter the IP address or hostname of the Blue Coat Security Analytics Platform device. l Minutes Before Event

l Minutes After Event

8. Under Settings, click Enable sending threat information to WebPulse for further analysis to send threat information to WebPulse.

TheWebPulse collaborative defensepowers Blue Coat’s Web Security portfolio, delivering fast and effective Web 2.0 threat protection for 75 million users worldwide. When you select this option, the threat information is sent to theBlue Coat Threat Labsfor further analysis.

(43)

Drop Slow Download Connections

ICTM configuration is available in Settings > ICTM.

Intelligent Connection Traffic Monitoring (ICTM) monitors ICAP connections between your ProxySG appliance and Con-tent Analysis System. If connections take longer to complete than expected, (such as with infinite stream data, like stock tickers or Internet radio), ICTM drops the connection to keep resources available for scanning other objects.

When ICTM is enabled, the CAS appliance checks for slow downloads and compares the number of concurrent slow ICAP connections to thewarningandcriticalthresholds. If the warning threshold is reached, the appliance notifies the administrator of the dropped URLs (through an e-mail or SNMP trap, if the option is selected). The administrator can then create policy on the ProxySG appliance to ignore these URLs or URL categories in the future.

If the critical threshold is reached, the CAS appliance terminates the oldest, slowest connections so that the level below the threshold is maintained.

1. Select Enable Intelligent Connection Traffic Monitoring (ICTM) .

2. Specify how many seconds a connection lasts before it is determined to be a slow download. The minimum is 30 seconds. Blue Coat recommends the default of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination before the download is complete.

3. Specify the warning threshold:

a. Specify how many concurrent connections that have exceeded the duration specified in Step 2 before a warning message is sent. The allowed maximum is the maximum number of ICAP connections allowed by the CAS appliance; the value varies by hardware model.

By default, an e-mail warning is sent if this threshold is reached. The e-mail is sent to recipients specified on the Alerts > Alerts Settings page. If you disable this option, no warning is sent and nothing is logged in the CASlog file.

b. Specify the time interval, in minutes, that the CAS appliance repeats the warning messages while the appliance remains in a warning state.

c. Specify the critical threshold. If the number of concurrent slow connections reaches this threshold, the CAS appliance drops enough of these connections (beginning with the oldest connections) to maintain a level below the critical threshold. Oldest connections are dropped first.

Default Threshold Values

(44)

Establish ICAP Connections Between the ProxySG and the CAS

Before your Content Analysis System appliance (CAS) can handle traffic, you must configure your ProxySG appliance to send traffic to it.

Traffic is sent using the Internet Content Adaptation Protocol (ICAP). When a user requests content from the Internet, it is forwarded to the CAS appliance for processing. The data is first compared against the file whitelist, then scanned for vir-uses with the vendors you have configured on the appliance. If the file does not match any known viral signatures, but appears to be a suspicious executable file, the CAS appliance forwards that file to a sandbox, where it is executed and monitored to determine what type of threat (if any) the file poses to the user and the network.

While the Content Analysis System can communicate with any version of SGOS, the Secure ICAP and Malware Scanning features require SGOS 5.5 or higher, the apparent data type policy feature requires SGOS 6.5.1 or higher, and arbitrary ICAP header pars-ing requires SGOS 6.5.2.1. Because of this, the ProxySG appliance that communicates with the CAS appliance should run SGOS 6.5.2 or higher.

To send data to the Content Analysis System appliance, you must configure the ProxySG appliance to send data to the CAS appliance with ICAP. The ProxySG appliance has two methods to achieve this: manual and automatic. The manual configuration requires that you create policy to trigger the ICAP connection for destination URLs, categories and file types. The automatic configuration relies on the Malware Scanning option that provides a threshold configuration to determine how strict ICAP scanning will be.

Manually Configure an ICAP Service on the ProxySG 45

Automatically Configure an ICAP Service on the ProxySG 47

Configure ICAP Policy 50

(45)

Manually Configure an ICAP Service on the ProxySG

The ProxySG appliance requires an ICAP service object to communicate with the Content Analysis System appliance. If you are enabling Secure ICAP between the CAS appliance and the

ProxySG appliance, this topic assumes that you have completed the steps in

"Enable Secure ICAP Connections" on page 36.

1. Log in to the ProxySG appliance Management Console. 2. Add a new ICAP service.

a. Select Configuration > External Services > ICAP.

b. Click Add. The Management Console displays the Add List Item dialog. c. Enter a name for the CAS appliance and click OK

d. Click Apply.

3. Select the new entry in the list and click Edit. The Management Console displays the Edit ICAP Service dialog.

a. Enter the Service URL, which is the CAS appliance ICAP address. The format is as follows: icap://IP_

address/avscan, whereIP_addressis the CAS IP address or hostname. b. Select the ICAP Service Ports per your deployment.

n The default service is a Plain ICAP connection.

n If you enabled (or plan to enable) a Secure ICAP connection between the ProxySG appliance and

(46)

n If you enable secure connections, you can select both options so that in the event there is a

certificate match or another error, the AV scan occurs over the plain connection. If you select only the Secure option, the ProxySG appliance does not forward the scan request in the event of a secure connection error.

c. Select Send options—Client Address, Server Address, Authenticated User and Authenticated Groups—to forward this information with each file sent to the CAS appliance. This ensures that all threat reporting generated by the CAS appliance bears the appropriate information.

d. Click Sense Settings to prompt the ProxySG appliance to query the CAS appliance for the optimal ICAP settings.

(47)

Automatically Configure an ICAP Service on the ProxySG

Malware Scanning uses a set of predefined ICAP scanning policies to protect your network and users from malicious con-tent. Once Malware Scanning is enabled, your appliance will send traffic to your ICAP device, (either ProxyAV or Content Analysis System ) to be scanned for viruses and threats.

Configure Malware Scanning

1. Log in to the ProxySG appliance Management Console.

2. Select Configuration > Threat Protection > Malware Scanning. 3. Add the CAS appliance.

a. Click New. The Management Console displays the Add ProxyAV ICAP Server dialog. b. Enter the IP address or hostname for the CAS appliance.

c. Select the ProxyAV Ports per your deployment (applies to CAS appliances).

n The default is Plain ICAP connections.

n If you enabled (or plan to enable) a Secure ICAP connections between the ProxySG appliance and

the CAS appliance, select that option.

n If you enable secure connections, you can select both options so that in the event there is a

certificate match or another error, the AV scan occurs over the plain connection. If you select only Secure, the ProxySG appliance does not forward the scan request in the event of a secure connection error.

d. Click OK.

(48)

a. (Optional) Change the protection level from the default of High Performance to Maximum Protection, to scan all files, rather than those that are typically vectors for viral attacks. This can unnecessarily cause the CAS appliance to use more resources than necessary as it has to scan all data users request from the Internet. If your organization does not have a policy that requires all data to be scanned, use the High Performance Protection Level setting.

b. The Connection Security options apply if you have enabled secure ICAP. You can instruct the ProxySG appliance when or when not to use secure connections.

c. For the best security, Blue Coat recommends leaving the default Actions on Unsuccessful Scan option to Deny the client request.

5. Select Enable Malware Scanning box and click Apply.

Optimize the ICAP Configuration

With Malware Scanning enabled, the next step is to optimize the ICAP service object.

1. In the ProxySG management console, browse to Configuration > External Services > ICAP.

(49)

3. Click Sense Settings . A confirmation dialog appears, click OK. The ProxySG appliance queries the CAS appliance to determine the optimal settings for ICAP connections and timeout values and sets them in the ICAP service object.

(50)

Configure ICAP Policy

Once you have defined an ICAP request modification object, you can use policy on the ProxySG appliance to send traffic to the CAS appliance.

Create a default rule to send traffic to the CAS appliance with ICAP

This step is only required for manual ICAP configurations. If you use the Automatic configuration with Malware Scanning, skip this step and proceed to the other policy examples.

1. Log in to the ProxySG appliance Management Console.

2. Launch the Visual Policy Manager from Configuration > Policy > Visual Policy Manager. 3. Click Policy > Add Web Content layer.

4. Name the new layer ICAP Scan.

5. Right-click the action field in the rule. Click New > Set ICAP Response Service.

6. Select the ICAP service you created in the Management Console and click Add to move it to the box on the right. 7. Choose a failure method. Select either Deny the client request, (fail closed) or Continue without further

ICAP processing (fail open).

(51)

Configure ICAP Exception Policies

Whether you've used an automatic ICAP configuration with Malware scanning or a manual configuration with an ICAP request modification rule in the VPM, you may find that your organization needs to exempt specific destinations from ICAP scanning. If a destination URL, category or file type is trusted, you may decide not to have that traffic scanned. The examples provided in this topic detail the steps to configure the most common types of ICAP exemptions.

If you are using the Malware Scanning configuration, add a new Web Content layer from the Policy menu, label it ICAP Scan and proceed with the steps below. If you have configured a manual ICAP scan policy instead, the proceeding policies must be positioned above your existing ICAP scan rule.

Exempt a domain from ICAP scanning

2. Right-click the action field in this rule. Click New > Set ICAP Response Service. 3. Name the new object DoNotScan and select Do not Use any ICAP response service.

4. Click OK, and OK.

(52)

Close, OK and Install Policy.

Exempt a category from ICAP Scanning

Because some media streams come without end, sending those streams to an ICAP appliance for scanning can lead to delays in processing other traffic. As a best practice measure, follow these steps to defer the streaming media category from being ICAP scanned.

2. Right-click the destination field in this new rule, click Set > New > Request URL Category.

Extend the Blue Coat categories list , select TV/Video Streams. Name the object TV/Video Stream Category. 3. Click OK, OK, and Install Policy.Show Screen

Use policy to react to specific ICAP scan results

SGOS 6.5.2.1 introduced the option to define policy to take action based on the results of ICAP scanning. See the

Troubleshoot ICAP Errorstopic for the available policy triggers. In this example, we want to allow users to download archive files such as zip, rar or, gz, if they are password protected and from a trusted domain.

1. Add a new Web Access Layer and name it ICAP Error Actions.

2. In the Edit menu, select Reorder Layers. Position the ICAP Error Actions layer below your ICAP Scan layer. 3. Right-click the destination field, click Set > New > Request URL.

4. Enter the domain name of the URL in question. In this case, we'll use www.example.com. Click Add, Close, and OK.

(53)

(54)

Monitoring and Alerts

As the CAS appliance scans data, statistics for virtually every activity are tracked and either graphed or added to a report. Using the various statistical reports, you can plan policy changes or determine the effectiveness of features such as cached response and sandboxing.

View the CPU Usage Report 56

View the Memory Usage Report 57

View ICAP Connections Data 58

View Ethernet Adapter Statistics 59

View Historical Connection Data 60

Scan Results 61

Cache Hits 63

View the Sandboxing Objects Report 64

View the ICAP Bytes Report 65

View ICAP Object Scan History 66

View Current Connections 67

Manage the CAS System Logs 68

(55)

(56)

View the CPU Usage Report

CPU historical statistics are available in Statistics> CPU Usage.

The CPU Usage report shows CPU utilization, as represented as a percentage of available cycles at a given point in time, for your CAS appliance. The CAS appliance displays information for the past hour, the past day, and month.

(57)

View the Memory Usage Report

Memory usage statistics are available in Statistics> Memory Usage.

(58)

View ICAP Connections Data

ICAP Connection historical statistics are available in Statistics> Connections.

(59)

View Ethernet Adapter Statistics

Ethernet Adapter statistics are available in Statistics> Ethernet.

The Ethernet report lists the statistics for each network interface on the appliance. Ethernet Adapter Media Type

Item

Description

Auto-neg Displays the results of link auto-negotiation (true or false)

Current Duplex Displays the duplex value of the established connection (FULL, HALF, or DISCONNECTED, UNAVAILABLE)

Current Speed Displays the current adapter speed In Mega Bits per second, 10, 100, or 1000 The Received table displays the following information for each network interface:

Item

Description

packets The number of data packets that were received on the interface error The number of Ethernet errors detected on the interface

dropped The number of packets dropped at the interface based on ICTM monitoring fifo First in, first out errors detected on the interface when packets are received in

incorrect order

frame Frame errors detected

compressed The number of compressed packets received by the interface multicast The number of multicast packets received by the interface The Transmitted table displays the following information for each network interface:

Item

Description

packets The number of data packets that were sent on the interface error The number of Ethernet errors detected on the interface

dropped The number of packets dropped at the interface based on ICTM monitoring fifo First in, first out errors detected on the interface when packets are sent in

incorrect order

collision The number of Ethernet collision errors detected carrier Displays the International Carrier Code, if applicable

(60)

View Historical Connection Data

Connection Data historical statistics are available in Statistics> Historical Connections.

You can track the ICAP scan history details such as the filename and URL on which it was found and the client IP address here.

To view request history:

1. Set the number of requests to display by entering the number in the Collect last __ requests and click Save Changes.

2. Click Refresh to display the request history list. This report contains the following columns.

Column

Description

Date The date the ICAP scan finished.

URL The URL from which the file was retrieved. Client IP The IP address of the client requesting the file.

Note: To display IP addresses, the ProxySG appliance that sends traffic to this CAS appliance must have Send Client Address enabled in the ICAP service object.

Size The size of the file that was scanned.

Result The result of the scan. SeeScan Resultsfor more information. Time take, ms The amount of time taken to scan the file, measured in

mil-liseconds.

(61)

Scan Results

Refer to the proceeding table to understand the results of past ICAP scans for Historical Connections.

Result

Description

Clean The file contained no threats. Parameter Error Incorrect scan parameter defined.

Password Protected The file could not be scanned as it is protected by a password. Unsupported

Com-pression

The file uses an unsupported compression method.

Corrupt Archive The archive file, (zip, rar, gz) could not be opened because it is corrupted. Too Many Layers The archive file exceeds the maximum number of archive layers supported. Unsupported The file is not a supported type for analysis.

Too Large The file exceeds the maximum file size limitation. Uncompressed Size

Too Large

The archive file exceeds the maximum file size limitation.

Too Many Files in Archive

The archive file (zip, rar, gz) exceeds the limit of files in an archive.

Blocked Extension The file was blocked based on the AV File Type configuration. Ignored Extension The file was not scanned, based on the AV File Type configuration. Ignored Type The file was not scanned, based on the apparent data type of the file. Timeout The scan process failed, waiting for the end of the file. Enable ICTM in

Set-tings > ICTM if this message appears frequently.

No Patterns The anti-virus pattern was not available for the active anti-virus vendor. Update Error An error occurred during the anti-virus pattern update. The file was not

scanned.

Invalid Option A required scan option is not defined. The file was not scanned.

License Expired The license for the component required for scanning has expired. The file was not scanned.

Internal Error An internal error occurred. The file was not scanned. Unknown Error The file was not scanned due to an unexpected error. Exception

Virus A virus was found during the scan.

Blocked Type The file was blocked based on the apparent data type of the file. (Kaspersky or Sophos only)

Insufficient Resources The appliance has exceeded the available resources, (CPU, Disk, Memory). The file was not scanned. To determine the cause of resource issues, review the appliance statistics pages.

(62)

Result

Description

AV Load Error The anti-virus engine failed to load.

(63)

Cache Hits

Cache Hit historical statistics are available in Statistics> Cache Hits.

The Cache Hits report shows how many files have been served to users without scanning, because those files were found to match a hash of an earlier successful scan. Information is shown for the past hour in the minutes graph, the past day in the hours graph, and the past month in the days graph.

(64)

View the Sandboxing Objects Report

Sandboxing statistics are available in Statistics> Sandboxing Objects.

(65)

View the ICAP Bytes Report

ICAP traffic byte statistics are available in Statistics> ICAP Bytes.

(66)

View ICAP Object Scan History

ICAP Object available in Statistics> ICAP objects.

Content Analysis System Guide

Third Party Copyright Notices

Contents

Initial Configuration

6

About the Content Analysis System Solution

8

Content Analysis System Hardware and Software Requirements

10

Set Up the Appliance with the Command Line Interface

11

Log In or Log Out of the CAS

12

Install the Appliance License

13

Activate Licensed Components

14

The CAS Home Page

15

Route Traffic to Alternate Networks

16

Proxy the CAS Through a Gateway Device

17

Identify the CAS Appliance

18

Set the Date/Time Manually

19

Synchronize the System Clock

20

Set the Timezone

21

Prepare the Appliance to Scan Data

22

Change the Default ICAP Server Ports

24

Define File Type Policy

25

Set AV Scanning Options

27

Establish ICAP Connections Between the ProxySG and the CAS

30

Configure ICAP Exception Policies

31

Troubleshoot ICAP Errors

34

Enable Secure ICAP Connections

36

Allow Trusted File Execution (Whitelisting)

39

About Whitelisting

40

Isolate and Analyze Suspicious Files

41

Drop Slow Download Connections

43

Establish ICAP Connections Between the ProxySG and the CAS

44

Manually Configure an ICAP Service on the ProxySG

45

Automatically Configure an ICAP Service on the ProxySG

47

Configure ICAP Policy

50

Configure ICAP Exception Policies

51

View the CPU Usage Report

56

View the Memory Usage Report

57

View ICAP Connections Data

58

View Ethernet Adapter Statistics

59

View Historical Connection Data

60

Scan Results

61

Cache Hits

63

View the Sandboxing Objects Report