{"_id":"588f8920bcace50f0052ba7d","category":{"_id":"5734a225e4580a200084d5d5","__v":0,"version":"5734a225e4580a200084d5d4","project":"5626d7263a4c6b0d00c454ac","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-10-21T00:07:03.426Z","from_sync":false,"order":0,"slug":"getting-started-with-umbrella","title":"Getting Started with Umbrella"},"parentDoc":null,"__v":0,"user":"560b40145148ba0d009bd0b5","project":"5626d7263a4c6b0d00c454ac","version":{"_id":"5734a225e4580a200084d5d4","project":"5626d7263a4c6b0d00c454ac","__v":3,"createdAt":"2016-05-12T15:32:53.005Z","releaseDate":"2016-05-12T15:32:53.005Z","categories":["5734a225e4580a200084d5d5","5734a225e4580a200084d5d6","5734a225e4580a200084d5d7","5734a225e4580a200084d5d8","5734a225e4580a200084d5d9","5734a225e4580a200084d5da","5734a225e4580a200084d5db","578885b59f5d5f3600835274","57c465fdf447ab0e001db8df"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.5","version":"1.0.5"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-01-30T18:42:40.503Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":8,"body":"## Umbrella File Inspection – Overview \n  \nThe Cisco Umbrella File Inspection feature expands the visibility and enforcement capabilities of Umbrella, protecting against more attack vectors for more users. The ability to inspect files is performed in the cloud, not on premises, so there is no need for additional hardware or software to be installed. This document consists of three parts, first outlining how to enable file inspection and how to test it. Then we'll go through viewing reports to see any files that were inspected.  Lastly, we'll cover how file inspection actually works in the back-end.  \n  \n#### Feature release timing and Umbrella packages\n \nThe file inspection feature is only available for customers with the Umbrella Insights or Umbrella Platform packages. [Click here to read more about packages](https://umbrella.cisco.com/products/packages) and contact your Cisco account representative with any questions. \n\n\n1. [Overview](https://docs.umbrella.com/product/umbrella/file-inspection#section-umbrella-file-inspection-overview)\n2. [Features of File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-features-of-umbrella-file-inspection)\n3. [Enabling File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-enabling-file-inspection)\n4. [Testing File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-testing-file-inspection)\n5. [Troubleshooting](https://docs.umbrella.com/product/umbrella/file-inspection#section-troubleshooting)\n6. [Reporting for File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-reporting-for-file-inspection)\n7. [How File Inspection Works](https://docs.umbrella.com/product/umbrella/file-inspection#section-how-file-inspection-works)\n\n## Features of Umbrella file inspection\n\nFile inspection is an extension of the Umbrella intelligent proxy’s scope and functionality.  With this feature enabled, you have the ability to scan files for malicious content hosted on suspicious domains before those files are downloaded.  A suspicious domain is neither trusted or known to be malicious, but could one that could potentially pose a threat. \n\nThe file is captured in our proxy, scanned to determine if a threat exists and if so, it's blocked from being downloaded.  This can be an explicit download, such as when a user clicks on a link in an email or a download that happens behind the scenes, in so-called 'drive-by download' scenarios. This is reported on in your Umbrella security activity report and the activity search so you can review what was blocked.  \n\nThe file inspection feature is being rolled out with a few features at a time, essentially we're building it from the ground up, one brick at a time. In this first release of the feature, each file that's being inspected is scanned twice, once by an antivirus to determine if it's known malicious and once by Cisco AMP to Cisco AMP integration to block files with a bad reputation. \n \n### Enabling File Inspection\n\nFile inspection can be enabled on a per-policy, per-identity basis but is available for all identities. The intelligent proxy feature is required to be enabled in order to use file inspection, and for new policies, it's enabled by default. **We highly recommend enabling SSL Decryption as part of a policy to maximize the benefits of file inspection, although it is not required.**\n\n1. Log in to the Umbrella dashboard at [https://dashboard.umbrella.com](https://dashboard.umbrella.com)\n2. Expand Policies and select Policy List.\n3. Create a new policy by clicking the plus (+) sign at the top of the page or edit an existing policy. \n4. If you're creating a new policy, select the Identities that will use file inspection. In the example below we are using only Roaming Computers but any identities you are comfortable with will work.  Click Next when finished. \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/140586b-Screen_Shot_2017-06-06_at_10.55.24_AM.png\",\n        \"Screen Shot 2017-06-06 at 10.55.24 AM.png\",\n        2006,\n        1052,\n        \"#266080\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n5. When asked what should this policy do, simply ensure 'Inspect Files' is checked:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/003d5c7-Screen_Shot_2017-06-06_at_11.14.15_AM.png\",\n        \"Screen Shot 2017-06-06 at 11.14.15 AM.png\",\n        1742,\n        748,\n        \"#cccccc\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nMake sure the \"Intelligent Proxy\" is enabled, which it is by default. **Although not required and not default, we do recommend enabling SSL decryption!**  Adding SSL decryption allows for both types of traffic (secure and insecure) to be proxied and for those files to be inspected. A test scenario with SSL enabled is below.\n \n**If you're editing an existing policy, make sure File Inspection is enabled on the summary page after you’ve enabled the Intelligent Proxy (under Advanced Settings)** \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/7405418-Screen_Shot_2017-06-06_at_3.59.26_PM.png\",\n        \"Screen Shot 2017-06-06 at 3.59.26 PM.png\",\n        1942,\n        378,\n        \"#b4b1b1\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"Cisco Umbrella Root Certificate\",\n  \"body\": \"The Cisco Umbrella Root Certificate must be installed on all machines with SSL decryption included in their file inspection policy.  For more information, read here: [https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/)\\n\\nTo test SSL decryption with file inspection, use [https://ssl-proxy.opendnstest.com/download/eicar.com](https://ssl-proxy.opendnstest.com/download/eicar.com)\"\n}\n[/block]\n6.   Save to confirm the settings. If you're testing, ensure that the policy with file inspection enabled in it is at or near the top of the policy list in order that the policy takes precedence.\n\n### Testing File Inspection\n\nFrom a device that’s been enrolled in a policy with File Inspection enabled, perform the following:\n\n1.       Browse to http://proxy.opendnstest.com/download/eicar.com . Alternatively, browser to https://ssl-proxy.opendnstest.com/download/eicar.com to test the SSL decryption version (if enabled in policy)\n2.       You should receive a block page like the one below:\n \n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/689f4e7-block_page.jpg\",\n        \"block_page.jpg\",\n        619,\n        315,\n        \"#f7f7f7\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n3. The diagnostic information covers a bit of detail about which server the file went through. \n\n4. Check the reports to ensure it appears as it should.  This is covered in the next sections.\n \n### Troubleshooting\n\nIf you do not see the block page above, ensure that the policy with File Inspection enabled is higher in the policy order than other policies the enrolled identity(ies) are configured for.\n\nWait upwards of 5 minutes before testing again after any policy changes to ensure enough time has passed for the changes to be replicated throughout the Umbrella infrastructure. If problems persist, try clearing the local browser cache on your machine, or even your machine's DNS cache (a reboot will accomplish this).\n \nBeyond that, check to see if you have a local on-prem proxy that is interfering. For more information, see [Using Umbrella with an HTTP proxy](https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy).\n\nAnd be sure to that the Cisco Root CA is installed in case of cert errors or files on HTTPS connections not being blocked. For more information, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/).\n\n#### Getting Help\nIf you encounter any issues with the File Inspection feature, please log a case with Customer Support at: [umbrella-support:::at:::cisco.com](mailto:umbrella-support@cisco.com)\n \nYou may want to include the output of the following commands (these commands should be run from a device enrolled in the policy configured for File Inspection):\n\n**OS X:**\n_dig proxy.opendnstest.com_\n_dig debug.opendns.com txt_\n\n**Windows**\n_nslookup proxy.opendnstest.com_\n_nslookup -type=txt debug.opendns.com_\n\nYou should also include the output of the Umbrella diagnostic to speed up the troubleshooting. See [Umbrella Diagnostic Tool](https://support.umbrella.com/hc/en-us/articles/234692027-Umbrella-Diagnostic-Tool).\n\n## Reporting for File Inspection\n\nA file that's been inspected and blocked appears in your security logs like any other network event that passes through Umbrella.  Both the activity search and the security activity report show file inspection events, but greater detail is found in the security activity report.  \n\nFiles that were inspected and allowed through because they are safe appear as allowed events in the activity search report without any information about scan results because there is nothing to report.\n\nIn the earlier test with eicar.com, if the test worked as expected you should have a result in your security activity report for the identity that matched when doing test.  This can be seen in one of two ways.\n\n### Security Activity Report for File Inspection\n\nGo to **Reporting > Security Activity**  Using the built-in filters, search for the threat name, which in this example is \"EICAR\".  Click Advanced Search and filter for threat, then type in 'eicar':\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/80430a6-Screen_Shot_2017-06-06_at_3.25.19_PM.png\",\n        \"Screen Shot 2017-06-06 at 3.25.19 PM.png\",\n        1842,\n        838,\n        \"#dfdfe0\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nThe filter should look like this:\n\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/8c5df35-filter-for-malware.gif\",\n        \"filter-for-malware.gif\",\n        215,\n        61,\n        \"#e0e0e0\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\nThe result will appear compressed in a card, as below:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/d878ccf-compressed-threat.gif\",\n        \"compressed-threat.gif\",\n        910,\n        73,\n        \"#e4e4e3\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nExpand the card by clicking on it and you will see something like the results below.  Because every sample of malware is different, each result will vary based on the malware, the identity triggered and which engine detected it as malicious and so on, but the majority of these fields are consistent between various blocks of files that have been inspected.\n\nThe SHA256 hash is especially helpful in cross-referencing between other security data platforms, or even [VirusTotal](https://virustotal.com/).\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/1ab8e00-amp-malware-block.gif\",\n        \"amp-malware-block.gif\",\n        909,\n        359,\n        \"#d6d8d9\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n**NOTE:** The eicar test virus is scanned by both the antivirus engine and the Cisco AMP engine, and detected by both.  All files are scanned by both engines and can be detected by both, one or neither.  If a sample is detected by both engines, the Cisco AMP detection takes precedence in the reports.\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Field\",\n    \"h-1\": \"Value\",\n    \"0-0\": \"Destination\",\n    \"0-1\": \"which domain or IP hosted the suspicious file\",\n    \"1-0\": \"URL\",\n    \"1-1\": \"the URL at which the suspicious file was found at, if available.  Usually the same domain as the destination.\",\n    \"2-0\": \"Date & Time\",\n    \"2-1\": \"when the suspicious file was downloaded by the user and scanned\",\n    \"3-0\": \"Categories\",\n    \"3-1\": \"which Umbrella security categories matched against this event.  It is possible for a file to be malicious or suspicious as per the antivirus scanner and Cisco AMP but not be categorized.\",\n    \"4-0\": \"Result\",\n    \"4-1\": \"either blocked or allowed\",\n    \"5-0\": \"User Agent\",\n    \"5-1\": \"the user agent of the browser with which the request was made (http://www.useragentstring.com/pages/useragentstring.php?typ=Browser)\",\n    \"6-0\": \"Content Type\",\n    \"6-1\": \"the MIME type of the data stream (https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types)\",\n    \"7-0\": \"SHA256 Hash\",\n    \"7-1\": \"checksum of the file, if available.  Typically for Cisco AMP; this is also included in the summary.\",\n    \"8-0\": \"Status code\",\n    \"8-1\": \"the HTTP code returned from the query (typically 300 or 400)\",\n    \"9-0\": \"Virus\",\n    \"9-1\": \"the name found by the antivirus scanner, where applicable\",\n    \"10-0\": \"Referrer\",\n    \"10-1\": \"the referrer URL where available/applicable\"\n  },\n  \"cols\": 2,\n  \"rows\": 11\n}\n[/block]\n### Security Activity Report for Activity Search\n\nThe Activity Search shows files that were allowed through and files that were blocked.  Any page on any website could count as a file-- files likes .HTML or .CSS are common.  In the earlier test to download the eicar.com test file from proxy.opendnstest.com, other page elements were downloaded but allowed:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/18b9403-Screen_Shot_2017-06-13_at_2.40.30_PM.png\",\n        \"Screen Shot 2017-06-13 at 2.40.30 PM.png\",\n        1606,\n        384,\n        \"#2499cb\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nOn the far right hand side, the ellipsis icon can be expanded for more information.  In this instance, the file was allowed:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/33ffd1e-Screen_Shot_2017-06-13_at_6.09.08_PM.png\",\n        \"Screen Shot 2017-06-13 at 6.09.08 PM.png\",\n        1234,\n        308,\n        \"#2e84a8\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\nClicking \"See Full Details\" shows as below (click image to zoom):\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/21ddd3a-full-details.png\",\n        \"full-details.png\",\n        243,\n        484,\n        \"#dedfe1\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\nThe results for Cisco AMP are blank, as the file was allowed.\n\nYou can also use the filters for the columns in the activity search to show the 'file name' and make it more apparent. First, select \"Columns\" and expose the 'File Name' which is hidden by default:\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/6a7eda6-alll-requests.png\",\n        \"alll-requests.png\",\n        211,\n        203,\n        \"#ededee\"\n      ],\n      \"sizing\": \"original\"\n    }\n  ]\n}\n[/block]\nRun the report for the last 24 hours and you'll see the results including the file name that was proxied.\n[block:image]\n{\n  \"images\": [\n    {\n      \"image\": [\n        \"https://files.readme.io/ece5870-Screen_Shot_2017-06-19_at_10.54.27_AM.png\",\n        \"Screen Shot 2017-06-19 at 10.54.27 AM.png\",\n        2450,\n        490,\n        \"#f5f5f5\"\n      ],\n      \"sizing\": \"80\"\n    }\n  ]\n}\n[/block]\n## How File Inspection works\n\n### It starts with the Intelligent Proxy\n\nThe first thing to understand about how File Inspection works is to that it employs Umbrella’s intelligent proxy in order to have some domains proxied through our cloud but not others. The intelligent proxy is a cornerstone of how we do advanced protection in the cloud, and you can find out more about it here: [Enable The Intelligent Proxy\n](https://docs.umbrella.com/product/umbrella/enable-the-intelligent-proxy/).\n\nIn Umbrella, when identities, such as networks or roaming computers, are pointed to the Umbrella DNS resolvers and when an internet request is made, the first thing that happens is the DNS resolver determines whether a domain is either allowed (safe), blocked or ‘suspicious.’  If it’s allowed, you’ll get the correct IP address of the domain returned the client. If it’s blocked, the IP of our block page lander is returned. If it’s ‘suspicious’, the resolver returns the IP of the intelligent proxy.  The proxy authenticates the client (using redirects to unique domain) and an allowed URL or file is permitted or blocked. \n\nWhen it comes to file inspection, the intelligent proxy is the ‘decision maker’ when determining whether a file will be inspected or not.  If the intelligent proxy feature is not enabled, it is not possible to use file inspection.  In addition, the SSL decryption feature of the intelligent proxy is required in order to scan any files on secure (HTTPS) sites.\n\n### How is a file actually inspected?\n\nOnce a domain deemed 'suspicious’ is passed to the intelligent proxy, there are internal services within the proxy that handle different parts of the request by breaking the request to the domain into individual pieces.  For instance, we can block a single URL of a suspicious domain and allow other URLs within the same suspicious domain, based on whether we know that URL is known to be bad. \n\nFile inspection works similarly and uses two services to scan. In essence, a file hosted on a website is simply another URL, but for file inspection, we determine what type of file it is and scan it to find out more.  The request to the file is made from the proxy and when the file is downloaded to the proxy, the file is then passed to both scanners which analyze the file simultaneously.\n\nIt's important to note that files are scanned by both engines but if either engine detects it as being known bad or malicious it's blocked.  In the example of the eicar test virus earlier, it's scanned and detected by both the antivirus and Cisco AMP.   If both engines detect the file, the AMP detection is given a higher priority in the reporting and it will show up as an AMP event with antivirus information listed in the detail.\n\n\n####  Cisco Advanced Malware Protection (AMP) scanning\n\nCisco AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds.  The Cisco AMP engine does not do real time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file.  The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. \n\n\n#### Antivirus scanning\n\nThe anti-virus scanner first determines the type of file it is and scans the file.  The scanner will scan all file types.  The scanner will scan the first 50mb of any file whose type matches one of those determined to be potentially suspicious.  We begin streaming the file from the proxy to the user after that so the user will start receiving the download of a large file while scanning continues in the background. But, as soon as we know if a file is malicious, we terminate the connection. That means for larger files, the user may get a small lag initially, but should still receive the file as quickly as normal—unless it's malicious.\n\nArchives (such as .zip or .rar files) will be decompressed to a maximum of 5 levels of recursion deep.  A password-protected archive is not scanned as it cannot be decompressed without the password, however it will be blocked under the category Protected Archive.  If there is a scanning error or the file is found to be corrupt or otherwise encrypted, we are blocking that as well. Since we have determined already that the domain could contain suspicious files, we're taking the safest options when scanning files from those domains.\n\nOnce that scanning is complete, the file is either delivered to the customer or the connection is terminated and the user is served the IP of the block page instead of the file they might have been expecting to see.\n\n\n***\n [Enable The Intelligent Proxy](https://docs.umbrella.com/product/umbrella/enable-the-intelligent-proxy/) < **Enable File Inspection** > [Enable URLs to be Blocked in Your Destination Lists](https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to/)","excerpt":"","slug":"file-inspection","type":"basic","title":"Enable File Inspection"}

Enable File Inspection


## Umbrella File Inspection – Overview The Cisco Umbrella File Inspection feature expands the visibility and enforcement capabilities of Umbrella, protecting against more attack vectors for more users. The ability to inspect files is performed in the cloud, not on premises, so there is no need for additional hardware or software to be installed. This document consists of three parts, first outlining how to enable file inspection and how to test it. Then we'll go through viewing reports to see any files that were inspected. Lastly, we'll cover how file inspection actually works in the back-end. #### Feature release timing and Umbrella packages The file inspection feature is only available for customers with the Umbrella Insights or Umbrella Platform packages. [Click here to read more about packages](https://umbrella.cisco.com/products/packages) and contact your Cisco account representative with any questions. 1. [Overview](https://docs.umbrella.com/product/umbrella/file-inspection#section-umbrella-file-inspection-overview) 2. [Features of File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-features-of-umbrella-file-inspection) 3. [Enabling File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-enabling-file-inspection) 4. [Testing File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-testing-file-inspection) 5. [Troubleshooting](https://docs.umbrella.com/product/umbrella/file-inspection#section-troubleshooting) 6. [Reporting for File Inspection](https://docs.umbrella.com/product/umbrella/file-inspection#section-reporting-for-file-inspection) 7. [How File Inspection Works](https://docs.umbrella.com/product/umbrella/file-inspection#section-how-file-inspection-works) ## Features of Umbrella file inspection File inspection is an extension of the Umbrella intelligent proxy’s scope and functionality. With this feature enabled, you have the ability to scan files for malicious content hosted on suspicious domains before those files are downloaded. A suspicious domain is neither trusted or known to be malicious, but could one that could potentially pose a threat. The file is captured in our proxy, scanned to determine if a threat exists and if so, it's blocked from being downloaded. This can be an explicit download, such as when a user clicks on a link in an email or a download that happens behind the scenes, in so-called 'drive-by download' scenarios. This is reported on in your Umbrella security activity report and the activity search so you can review what was blocked. The file inspection feature is being rolled out with a few features at a time, essentially we're building it from the ground up, one brick at a time. In this first release of the feature, each file that's being inspected is scanned twice, once by an antivirus to determine if it's known malicious and once by Cisco AMP to Cisco AMP integration to block files with a bad reputation. ### Enabling File Inspection File inspection can be enabled on a per-policy, per-identity basis but is available for all identities. The intelligent proxy feature is required to be enabled in order to use file inspection, and for new policies, it's enabled by default. **We highly recommend enabling SSL Decryption as part of a policy to maximize the benefits of file inspection, although it is not required.** 1. Log in to the Umbrella dashboard at [https://dashboard.umbrella.com](https://dashboard.umbrella.com) 2. Expand Policies and select Policy List. 3. Create a new policy by clicking the plus (+) sign at the top of the page or edit an existing policy. 4. If you're creating a new policy, select the Identities that will use file inspection. In the example below we are using only Roaming Computers but any identities you are comfortable with will work. Click Next when finished. [block:image] { "images": [ { "image": [ "https://files.readme.io/140586b-Screen_Shot_2017-06-06_at_10.55.24_AM.png", "Screen Shot 2017-06-06 at 10.55.24 AM.png", 2006, 1052, "#266080" ], "sizing": "80" } ] } [/block] 5. When asked what should this policy do, simply ensure 'Inspect Files' is checked: [block:image] { "images": [ { "image": [ "https://files.readme.io/003d5c7-Screen_Shot_2017-06-06_at_11.14.15_AM.png", "Screen Shot 2017-06-06 at 11.14.15 AM.png", 1742, 748, "#cccccc" ], "sizing": "80" } ] } [/block] Make sure the "Intelligent Proxy" is enabled, which it is by default. **Although not required and not default, we do recommend enabling SSL decryption!** Adding SSL decryption allows for both types of traffic (secure and insecure) to be proxied and for those files to be inspected. A test scenario with SSL enabled is below. **If you're editing an existing policy, make sure File Inspection is enabled on the summary page after you’ve enabled the Intelligent Proxy (under Advanced Settings)** [block:image] { "images": [ { "image": [ "https://files.readme.io/7405418-Screen_Shot_2017-06-06_at_3.59.26_PM.png", "Screen Shot 2017-06-06 at 3.59.26 PM.png", 1942, 378, "#b4b1b1" ], "sizing": "80" } ] } [/block] [block:callout] { "type": "info", "title": "Cisco Umbrella Root Certificate", "body": "The Cisco Umbrella Root Certificate must be installed on all machines with SSL decryption included in their file inspection policy. For more information, read here: [https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/)\n\nTo test SSL decryption with file inspection, use [https://ssl-proxy.opendnstest.com/download/eicar.com](https://ssl-proxy.opendnstest.com/download/eicar.com)" } [/block] 6. Save to confirm the settings. If you're testing, ensure that the policy with file inspection enabled in it is at or near the top of the policy list in order that the policy takes precedence. ### Testing File Inspection From a device that’s been enrolled in a policy with File Inspection enabled, perform the following: 1. Browse to http://proxy.opendnstest.com/download/eicar.com . Alternatively, browser to https://ssl-proxy.opendnstest.com/download/eicar.com to test the SSL decryption version (if enabled in policy) 2. You should receive a block page like the one below: [block:image] { "images": [ { "image": [ "https://files.readme.io/689f4e7-block_page.jpg", "block_page.jpg", 619, 315, "#f7f7f7" ], "sizing": "80" } ] } [/block] 3. The diagnostic information covers a bit of detail about which server the file went through. 4. Check the reports to ensure it appears as it should. This is covered in the next sections. ### Troubleshooting If you do not see the block page above, ensure that the policy with File Inspection enabled is higher in the policy order than other policies the enrolled identity(ies) are configured for. Wait upwards of 5 minutes before testing again after any policy changes to ensure enough time has passed for the changes to be replicated throughout the Umbrella infrastructure. If problems persist, try clearing the local browser cache on your machine, or even your machine's DNS cache (a reboot will accomplish this). Beyond that, check to see if you have a local on-prem proxy that is interfering. For more information, see [Using Umbrella with an HTTP proxy](https://support.umbrella.com/hc/en-us/articles/230563527-Using-Umbrella-with-an-HTTP-proxy). And be sure to that the Cisco Root CA is installed in case of cert errors or files on HTTPS connections not being blocked. For more information, see [Cisco Certificate Import Information](https://docs.umbrella.com/product/umbrella/rebrand-cisco-certificate-import-information/). #### Getting Help If you encounter any issues with the File Inspection feature, please log a case with Customer Support at: [umbrella-support@cisco.com](mailto:umbrella-support@cisco.com) You may want to include the output of the following commands (these commands should be run from a device enrolled in the policy configured for File Inspection): **OS X:** _dig proxy.opendnstest.com_ _dig debug.opendns.com txt_ **Windows** _nslookup proxy.opendnstest.com_ _nslookup -type=txt debug.opendns.com_ You should also include the output of the Umbrella diagnostic to speed up the troubleshooting. See [Umbrella Diagnostic Tool](https://support.umbrella.com/hc/en-us/articles/234692027-Umbrella-Diagnostic-Tool). ## Reporting for File Inspection A file that's been inspected and blocked appears in your security logs like any other network event that passes through Umbrella. Both the activity search and the security activity report show file inspection events, but greater detail is found in the security activity report. Files that were inspected and allowed through because they are safe appear as allowed events in the activity search report without any information about scan results because there is nothing to report. In the earlier test with eicar.com, if the test worked as expected you should have a result in your security activity report for the identity that matched when doing test. This can be seen in one of two ways. ### Security Activity Report for File Inspection Go to **Reporting > Security Activity** Using the built-in filters, search for the threat name, which in this example is "EICAR". Click Advanced Search and filter for threat, then type in 'eicar': [block:image] { "images": [ { "image": [ "https://files.readme.io/80430a6-Screen_Shot_2017-06-06_at_3.25.19_PM.png", "Screen Shot 2017-06-06 at 3.25.19 PM.png", 1842, 838, "#dfdfe0" ], "sizing": "80" } ] } [/block] The filter should look like this: [block:image] { "images": [ { "image": [ "https://files.readme.io/8c5df35-filter-for-malware.gif", "filter-for-malware.gif", 215, 61, "#e0e0e0" ], "sizing": "original" } ] } [/block] The result will appear compressed in a card, as below: [block:image] { "images": [ { "image": [ "https://files.readme.io/d878ccf-compressed-threat.gif", "compressed-threat.gif", 910, 73, "#e4e4e3" ], "sizing": "80" } ] } [/block] Expand the card by clicking on it and you will see something like the results below. Because every sample of malware is different, each result will vary based on the malware, the identity triggered and which engine detected it as malicious and so on, but the majority of these fields are consistent between various blocks of files that have been inspected. The SHA256 hash is especially helpful in cross-referencing between other security data platforms, or even [VirusTotal](https://virustotal.com/). [block:image] { "images": [ { "image": [ "https://files.readme.io/1ab8e00-amp-malware-block.gif", "amp-malware-block.gif", 909, 359, "#d6d8d9" ], "sizing": "80" } ] } [/block] **NOTE:** The eicar test virus is scanned by both the antivirus engine and the Cisco AMP engine, and detected by both. All files are scanned by both engines and can be detected by both, one or neither. If a sample is detected by both engines, the Cisco AMP detection takes precedence in the reports. [block:parameters] { "data": { "h-0": "Field", "h-1": "Value", "0-0": "Destination", "0-1": "which domain or IP hosted the suspicious file", "1-0": "URL", "1-1": "the URL at which the suspicious file was found at, if available. Usually the same domain as the destination.", "2-0": "Date & Time", "2-1": "when the suspicious file was downloaded by the user and scanned", "3-0": "Categories", "3-1": "which Umbrella security categories matched against this event. It is possible for a file to be malicious or suspicious as per the antivirus scanner and Cisco AMP but not be categorized.", "4-0": "Result", "4-1": "either blocked or allowed", "5-0": "User Agent", "5-1": "the user agent of the browser with which the request was made (http://www.useragentstring.com/pages/useragentstring.php?typ=Browser)", "6-0": "Content Type", "6-1": "the MIME type of the data stream (https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types)", "7-0": "SHA256 Hash", "7-1": "checksum of the file, if available. Typically for Cisco AMP; this is also included in the summary.", "8-0": "Status code", "8-1": "the HTTP code returned from the query (typically 300 or 400)", "9-0": "Virus", "9-1": "the name found by the antivirus scanner, where applicable", "10-0": "Referrer", "10-1": "the referrer URL where available/applicable" }, "cols": 2, "rows": 11 } [/block] ### Security Activity Report for Activity Search The Activity Search shows files that were allowed through and files that were blocked. Any page on any website could count as a file-- files likes .HTML or .CSS are common. In the earlier test to download the eicar.com test file from proxy.opendnstest.com, other page elements were downloaded but allowed: [block:image] { "images": [ { "image": [ "https://files.readme.io/18b9403-Screen_Shot_2017-06-13_at_2.40.30_PM.png", "Screen Shot 2017-06-13 at 2.40.30 PM.png", 1606, 384, "#2499cb" ], "sizing": "80" } ] } [/block] On the far right hand side, the ellipsis icon can be expanded for more information. In this instance, the file was allowed: [block:image] { "images": [ { "image": [ "https://files.readme.io/33ffd1e-Screen_Shot_2017-06-13_at_6.09.08_PM.png", "Screen Shot 2017-06-13 at 6.09.08 PM.png", 1234, 308, "#2e84a8" ], "sizing": "80" } ] } [/block] Clicking "See Full Details" shows as below (click image to zoom): [block:image] { "images": [ { "image": [ "https://files.readme.io/21ddd3a-full-details.png", "full-details.png", 243, 484, "#dedfe1" ], "sizing": "original" } ] } [/block] The results for Cisco AMP are blank, as the file was allowed. You can also use the filters for the columns in the activity search to show the 'file name' and make it more apparent. First, select "Columns" and expose the 'File Name' which is hidden by default: [block:image] { "images": [ { "image": [ "https://files.readme.io/6a7eda6-alll-requests.png", "alll-requests.png", 211, 203, "#ededee" ], "sizing": "original" } ] } [/block] Run the report for the last 24 hours and you'll see the results including the file name that was proxied. [block:image] { "images": [ { "image": [ "https://files.readme.io/ece5870-Screen_Shot_2017-06-19_at_10.54.27_AM.png", "Screen Shot 2017-06-19 at 10.54.27 AM.png", 2450, 490, "#f5f5f5" ], "sizing": "80" } ] } [/block] ## How File Inspection works ### It starts with the Intelligent Proxy The first thing to understand about how File Inspection works is to that it employs Umbrella’s intelligent proxy in order to have some domains proxied through our cloud but not others. The intelligent proxy is a cornerstone of how we do advanced protection in the cloud, and you can find out more about it here: [Enable The Intelligent Proxy ](https://docs.umbrella.com/product/umbrella/enable-the-intelligent-proxy/). In Umbrella, when identities, such as networks or roaming computers, are pointed to the Umbrella DNS resolvers and when an internet request is made, the first thing that happens is the DNS resolver determines whether a domain is either allowed (safe), blocked or ‘suspicious.’ If it’s allowed, you’ll get the correct IP address of the domain returned the client. If it’s blocked, the IP of our block page lander is returned. If it’s ‘suspicious’, the resolver returns the IP of the intelligent proxy. The proxy authenticates the client (using redirects to unique domain) and an allowed URL or file is permitted or blocked. When it comes to file inspection, the intelligent proxy is the ‘decision maker’ when determining whether a file will be inspected or not. If the intelligent proxy feature is not enabled, it is not possible to use file inspection. In addition, the SSL decryption feature of the intelligent proxy is required in order to scan any files on secure (HTTPS) sites. ### How is a file actually inspected? Once a domain deemed 'suspicious’ is passed to the intelligent proxy, there are internal services within the proxy that handle different parts of the request by breaking the request to the domain into individual pieces. For instance, we can block a single URL of a suspicious domain and allow other URLs within the same suspicious domain, based on whether we know that URL is known to be bad. File inspection works similarly and uses two services to scan. In essence, a file hosted on a website is simply another URL, but for file inspection, we determine what type of file it is and scan it to find out more. The request to the file is made from the proxy and when the file is downloaded to the proxy, the file is then passed to both scanners which analyze the file simultaneously. It's important to note that files are scanned by both engines but if either engine detects it as being known bad or malicious it's blocked. In the example of the eicar test virus earlier, it's scanned and detected by both the antivirus and Cisco AMP. If both engines detect the file, the AMP detection is given a higher priority in the reporting and it will show up as an AMP event with antivirus information listed in the detail. #### Cisco Advanced Malware Protection (AMP) scanning Cisco AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. The Cisco AMP engine does not do real time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. #### Antivirus scanning The anti-virus scanner first determines the type of file it is and scans the file. The scanner will scan all file types. The scanner will scan the first 50mb of any file whose type matches one of those determined to be potentially suspicious. We begin streaming the file from the proxy to the user after that so the user will start receiving the download of a large file while scanning continues in the background. But, as soon as we know if a file is malicious, we terminate the connection. That means for larger files, the user may get a small lag initially, but should still receive the file as quickly as normal—unless it's malicious. Archives (such as .zip or .rar files) will be decompressed to a maximum of 5 levels of recursion deep. A password-protected archive is not scanned as it cannot be decompressed without the password, however it will be blocked under the category Protected Archive. If there is a scanning error or the file is found to be corrupt or otherwise encrypted, we are blocking that as well. Since we have determined already that the domain could contain suspicious files, we're taking the safest options when scanning files from those domains. Once that scanning is complete, the file is either delivered to the customer or the connection is terminated and the user is served the IP of the block page instead of the file they might have been expecting to see. *** [Enable The Intelligent Proxy](https://docs.umbrella.com/product/umbrella/enable-the-intelligent-proxy/) < **Enable File Inspection** > [Enable URLs to be Blocked in Your Destination Lists](https://docs.umbrella.com/product/umbrella/custom-url-destination-list-how-to/)