Manage File Inspection

File Inspection expands the visibility and enforcement capabilities of Umbrella, protecting against more attack vectors for more users. The ability to inspect files is performed in the cloud, not on-premises, so there is no need for additional hardware or software to be installed.


Umbrella Packages and Feature Availability

Not all features described here are available to all Umbrella packages. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package.

If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella Packages.

File inspection is an extension of the intelligent proxy’s scope and functionality. When enabled, you have the ability to scan files for malicious content hosted on risky domains before those files are downloaded.

A risky domain is neither trusted ("known good") or known to be malicious, but one that could potentially pose a threat because little to no information is known about it.

The file is captured in our proxy, scanned to determine if a threat exists, and if so, it's blocked from being downloaded. This file can be an explicit download, such as when a user clicks on a link in an email or a download that happens behind the scenes, in so-called 'drive-by download' scenarios. This is reported on in your Umbrella security activity report and the activity search so you can review what was blocked.

How File Inspection Works

File Inspection employs Umbrella’s intelligent proxy in order to have some domains proxied through our cloud but not others. The intelligent proxy is a cornerstone of how we do advanced protection in the cloud. For more information, see Enable the Intelligent Proxy.

In Umbrella, when identities, such as networks or roaming computers, are pointed to the Umbrella DNS resolvers and when an internet request is made, the first thing that happens is the DNS resolver determines whether a domain is either allowed (safe), blocked or ‘risky.’ If it’s allowed, you’ll get the correct IP address of the domain returned the client. If it’s blocked, the IP of our block page lander is returned. If it’s ‘risky’, the resolver returns the IP of the intelligent proxy. The proxy authenticates the client (using redirects to a unique domain) and an allowed URL or file is permitted or blocked.

When it comes to file inspection, the intelligent proxy is the ‘decision-maker’ when determining whether a file will be inspected or not. If the intelligent proxy feature is not enabled, it is not possible to use file inspection. In addition, the SSL decryption feature of the intelligent proxy is required in order to scan any files on secure (HTTPS) sites.

How is a File Inspected?

Once a domain deemed 'risky’ is passed to the intelligent proxy, there are internal services within the proxy that handle different parts of the request by breaking the request to the domain into individual pieces. For instance, we can block a single URL of a risky domain and allow other URLs within the same risky domain, based on whether we know that URL is known to be bad.

File inspection works similarly and uses two services to scan. In essence, a file hosted on a website is simply another URL, but for file inspection, we determine what type of file it is and scan it to find out more. The request to the file is made from the proxy and when the file is downloaded to the proxy, the file is then passed to both scanners which analyze the file simultaneously.

It's important to note that files are scanned by both engines but if either engine detects it as being known bad or malicious it's blocked. In the example of the eicar test virus earlier, it's scanned and detected by both the antivirus and Cisco AMP. If both engines detect the file, the AMP detection is given a higher priority in the reporting and it will show up as an AMP event with antivirus information listed in the detail.

Cisco Advanced Malware Protection (AMP) Scanning

Cisco AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. For archive files, AMP computes only the archive hash, not hashes for files inside archives.

Antivirus Scanning

The antivirus scanner attempts to scan all files. Umbrella begins streaming large files from the proxy to the user after scanning the first 50mb in order to ensure that the user starts receiving the download while scanning continues in the background. As soon as a file is identified as malicious, the connection is terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious.

Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without the password, however, it will be blocked under the antivirus' Protected Archive category. If there is a scanning error or the file is found to be corrupt or otherwise encrypted, Umbrella blocks that as well. Since we have determined already that the domain could contain risky files, we're taking the safest options when scanning files from those domains.

Once that scanning is complete, the file is either delivered to the customer or the connection is terminated and the user is served the IP of the block page instead of the file they might have been expecting to see.

Test SSL Decryption < Manage File Inspection > Enable File Inspection