File Inspection and Threat Grid Malware Analysis and related features are not available to all Umbrella packages. If you encounter a feature described here that you do not have access to, contact your sales representative for more information about your current package. See also, Cisco Umbrella Packages.
Umbrella's File Analysis features File Inspection and Threat Grid Malware Analysis—enabled through the DNS and Web policy wizards—inspect files for malicious content hosted on risky domains. To Umbrella, a risky domain is one that might potentially pose a threat because little or no information is known about it. It is a domain that is neither trusted or known to be malicious. Files can be encountered by Umbrella through an explicit download, such as when a user clicks a link in an email, or through a behind-the-scenes 'drive-by' download scenario. Once inspected, Umbrella allows "good" files through and blocks the downloading of malicious files. When a malicious file is deleted, Umbrella's block page is returned.
Note: Options to inspect files differ between DNS and Web policies. Threat Grid Malware Analysis is only available for Web policies.
When File Inspection is enabled for either a DNS or Web policy, File Inspection scans files through Cisco Advanced Malware Protection (AMP) and Umbrella's antivirus. See Enable File Inspection for DNS Policies and Enable File Inspection for Web Policies.
When File Inspection is enabled, AMP is used by Umbrella uses AMP to scan for malicious files.
AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Threat Grid intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. For more information about AMP, see Advanced Malware Protection (AMP).
When File Inspection is enabled, Umbrella's antivirus scanner attempts to scan all files. Umbrella begins streaming large files from the proxy to the user after scanning the first 50mb to ensure that the user starts receiving the download while scanning continues in the background. As soon as a file is identified as malicious, the connection is terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious.
Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without a password. However, a password-protected archive can be blocked under the antivirus' Protected Archive category. Umbrella blocks downloads if there is a scanning error or the file is found to be corrupt. Once virus scanning is complete, the file is either delivered or the connection is terminated and the user is served the IP of the block page. You can also review activity through the Security Activity and Activity Search reports. For more information, see Review File Inspection Through Reports.
When you enable Umbrella's File Inspection and Threat Grid Malware Analysis features, files not blocked through File Inspection and that are unknown to AMP file reputation or blocked by Umbrella's anti-virus (AV) may be submitted by Umbrella to Threat Grid for malware analysis. This includes file types known to carry malware or be a conduit for malware, such as EXE and PDF files. See Enable Threat Grid Malware Analysis.
Threat Grid is Cisco's malware analysis and threat intelligence platform. Threat Grid generates and gathers malware intelligence through static and dynamic runtime sample analysis, as well as from other Cisco integrations. For more information about Threat Grid, see Cisco Threat Grid.
You can review Umbrella's Threat Grid activity by logging into the Threat Grid dashboard (credentials are set up when you first enable Threat Grid Malware Analysis) and through the Overview report's File Retrospective. For more information, see File Retrospective Events and Threat Grid.
Updated about a month ago