The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manage File Analysis

Umbrella Packages and Feature Availability

File Inspection and Threat Grid Malware Analysis and related features are not available to all Umbrella packages. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Current Package.

If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella Packages.

Umbrella's File Analysis components inspects files for malicious content in DNS and Web policies. File Inspection inspects files hosted on risky domains for DNS policies. To Umbrella, a risky domain is one that might potentially pose a threat because little or no information is known about it. It is a domain that is neither trusted or known to be malicious. Web policies use both File Inspection and Threat Grid Malware Analysis to inspect potentially malicious files.

Files can be encountered by Umbrella through an explicit download, such as when a user clicks a link in an email, or through a behind-the-scenes 'drive-by' download scenario. Once inspected, Umbrella allows "good" files through and blocks the downloading of malicious files. When a malicious file is deleted, Umbrella's block page is returned.

At any time you can review Umbrella's inspection activities through the Security Activity and Activity Search reports.

Note: Options to inspect files differ between the DNS and Web policies. Threat Grid Malware Analysis is only available through the Web policy.

File Inspection—DNS and Web Policies

When File Inspection is enabled for either the DNS or Web policy, File Inspection scans files through Cisco Advanced Malware Protection (AMP) and Umbrella's antivirus. See Enable File Inspection for DNS Policies and Enable File Inspection for the Web Policy.

Cisco Advanced Malware Protection (AMP)

When File Inspection is enabled, AMP is used by Umbrella uses AMP to scan for malicious files.

AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. For more information about AMP, see Advanced Malware Protection (AMP).

Umbrella Antivirus

When File Inspection is enabled, Umbrella's antivirus scanner attempts to scan all files. Umbrella begins streaming large files from the proxy to the user after scanning up to 50 MB to ensure that the user starts receiving the download while scanning continues in the background. As soon as a file is identified as malicious, the connection is terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious. Umbrella only scans the first 50 MB and does not scan the content of any files over 50 MB. For more information on file scanning size, see Limitations and Range Limits.

Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without a password. However, a password-protected archive can be blocked under the antivirus' Protected Archive category. Umbrella blocks downloads if there is a scanning error or the file is found to be corrupt. Once virus scanning is complete, the file is either delivered or the connection is terminated. You can also review activity through the Security Activity and Activity Search reports.

Threat Grid Malware Analysis—Web Policy Only

When you enable Umbrella's File Inspection and Threat Grid Malware Analysis features, files not blocked through File Inspection and that are unknown to AMP file reputation or blocked by Umbrella's anti-virus (AV) may be submitted by Umbrella to Threat Grid for malware analysis. This includes file types known to carry malware or be a conduit for malware, such as EXE and PDF files. See Enable Threat Grid Malware Analysis.

Threat Grid

Threat Grid is Cisco's malware analysis and threat intelligence platform. Threat Grid generates and gathers malware intelligence through static and dynamic runtime sample analysis, as well as from other Cisco integrations. For more information about Threat Grid, see Cisco Threat Grid.

You can review Umbrella's Threat Grid activity by logging into the Threat Grid dashboard (credentials are set up when you first enable Threat Grid Malware Analysis) and through the Overview report's File Retrospective. For more information, see File Retrospective Events and Threat Grid.

Test Your Destinations < Manage File Analysis > Enable File Inspection for DNS Policies

Updated 2 months ago

Manage File Analysis

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.