Manage File Analysis


Umbrella Packages and Feature Availability

File Inspection and Cisco Secure Malware Analytics (Threat Grid) Malware Analysis and related features are not available to all Umbrella packages. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Current Package.

If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella Packages.

Umbrella's File Analysis components inspects files for malicious content in DNS and Web policies. File Inspection inspects files hosted on risky domains for DNS policies. To Umbrella, a risky domain is one that might potentially pose a threat because little or no information is known about it. It is a domain that is neither trusted or known to be malicious. Web policies use both File Inspection and Cisco Secure Malware Analytics (Threat Grid) to inspect potentially malicious files.

Files can be encountered by Umbrella through an explicit download, such as when a user clicks a link in an email, or through a behind-the-scenes 'drive-by' download scenario. Once inspected, Umbrella allows "good" files through and blocks the downloading of malicious files. When a malicious file is deleted, Umbrella's block page is returned.

At any time you can review Umbrella's inspection activities through the Security Activity and Activity Search reports.

Note: Options to inspect files differ between the DNS and Web policies. Secure Malware Analytics (Threat Grid) is only available through the Web policy.

File Inspection—DNS and Web Policies

When File Inspection is enabled for either the DNS or Web policy, File Inspection scans files through Cisco Advanced Malware Protection (AMP) and Umbrella's antivirus. See Enable File Inspection for DNS Policies and Enable File Inspection for the Web Policy.

Cisco Advanced Malware Protection (AMP)

When File Inspection is enabled, AMP is used by Umbrella uses AMP to scan for malicious files.

AMP is built on an extensive collection of real-time threat intelligence and dynamic malware analytics supplied by the Talos Security Intelligence and Research Group, and Secure Malware Analytics (Threat Grid) intelligence feeds. The Cisco AMP engine does not do real-time sandboxing, instead, the Cisco AMP integration blocks files with a known bad reputation based on the checksum or hash of the file. The AMP checksum database is comprised of lookup and data from all AMP customers and is a dynamic global community resource shared between customers utilizing the technology. For more information about AMP, see Advanced Malware Protection (AMP).

Umbrella Antivirus

When File Inspection is enabled, Umbrella's antivirus scanner attempts to scan all files. Umbrella begins streaming large files from the proxy to the user after scanning up to 50 MB to ensure that the user starts receiving the download while scanning continues in the background. As soon as a file is identified as malicious, the connection is terminated. For larger files, the user may initially experience a brief lag, but should still receive the entire file as quickly as normal—unless it's malicious. Umbrella only scans the first 50 MB and does not scan the content of any files over 50 MB. For more information on file scanning size, see Limitations and Range Limits.

Archives (such as .zip or .rar files) are decompressed and scanned to a maximum of 16 levels of recursion. Files compressed above 16 levels of recursion are blocked. A password-protected archive is not scanned as it cannot be decompressed without a password. However, a password-protected archive can be blocked under the antivirus' Protected Archive category. Umbrella blocks downloads if there is a scanning error or the file is found to be corrupt. Once virus scanning is complete, the file is either delivered or the connection is terminated. You can also review activity through the Security Activity and Activity Search reports.

Secure Malware Analytics (Threat Grid)—Web Policy Only

When you enable Umbrella's File Inspection and Secure Malware Analytics (Threat Grid) Malware Analysis features, files not blocked through File Inspection and that are unknown to AMP file reputation or blocked by Umbrella's anti-virus (AV) may be submitted by Umbrella to Secure Malware Analytics (Threat Grid) for malware analysis. This includes file types known to carry malware or be a conduit for malware, such as EXE and PDF files. See Enable Cisco Secure Malware Analytics (Threat Grid).

Secure Malware Analytics (Threat Grid)

Secure Malware Analytics (Threat Grid) is Cisco's malware analysis and threat intelligence platform. Secure Malware Analytics (Threat Grid) generates and gathers malware intelligence through static and dynamic runtime sample analysis, as well as from other Cisco integrations. For more information about Secure Malware Analytics (Threat Grid), see Cisco Secure Malware Analytics (Threat Grid).

You can review Umbrella's Secure Malware Analytics (Threat Grid) activity by logging into the Secure Malware Analytics (Threat Grid) dashboard (credentials are set up when you first enable Secure Malware Analytics (Threat Grid) Malware Analysis) and through the Overview report's File Retrospective. For more information, see File Retrospective Events and Cisco Secure Malware Analytics (Threat Grid).

Troubleshoot DNS Destination Lists < Manage File Analysis > Enable File Inspection for DNS Policies