Content Analysis (CAS) cache time to live (TTL) and how to manually clear the cache

book

Article ID: 169294

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

Content Analysis will cache malicious results of scanning to reduce the time required to provide a result for matching files which have been previously scanned. There are options to clear the cache manually. However, this cache will clear periodically.

Content Analysis did not contain a sandbox clean cache option until CA 2.x

Resolution

Content Analysis cache has TTLs for File Reputation Service, Predictive Analysis, and Sandboxing.

The AntiVirus cache will clear under the following situations

  • a pattern update (for the specified vendor)
  • a setting is changed on the Content Analysis (clears cache)
  • when the service is restarted
  • device is rebooted

The AntiVirus cache is never persisted to disk (so it does not survive a reboot, for example) and changes in the conditions described. (McAfee, Kaspersky, or Sophos, Symantec)

  • The File Reputation Service cache honors the TTL the service provides and does persist to disk. (File Reputation)
  • The Predictive Analysis cache is similar to the AV cache. It does not persist to disk. (Symantec Advanced Machine Learning, Cylance)
  • The Sandboxing cache for malicious files caches them for 48 hours. It does persists to disk. It only clears if manually told to clear. 
  • The clean sandbox cache has a user-configurable TTL, but it defaults to 60 minutes. Does persist to disk.

Manual clearing of the cache can be performed from the UI of the Content Analysis within the Utilities menu under the Cache option. Here you will find four options of clearing cache for Antivirus, File Reputation, Sandboxing, and Static Analysis as separate buttons. After update to CA 2.x, there is a "clear all caches" button, as well.