The Content Analysis System is rating a file as "suspicious," but the file is still being served to clients

book

Article ID: 169296

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

The Content Analysis System alerts that certain files are "Suspicious." However the same file is being served to clients.

Cause

When the Content Analysis System detects a suspicious file (executable or a common malware attack vector) that is not on the whitelist and doesn't match any known malware signatures or trigger a malware score from static analysis, the appliance can forward the file to an external sandbox to analyze it. Sandbox services use different methods to identify the actions an executable file would take on a client workstation, including malicious URL web requests and changes to system files. Once analyzed, sandbox services score the file and report it either to Content Analysis — or in the case of FireEye NX-series appliances, to the sandbox administrator— to take action. When malware is reported to Content Analysis, the appliance reports the result to Blue Coat WebPulse, and updates the cache to take the appropriate action if the file is requested again

Effectively, if there is no sandbox integrated with the Content Analysis System, or if the sandbox determined the file was not malicious once it was detonated, the client will still be able to receive the file.

Resolution

Ensure any sandbox available for file detonation is integrated with the Content Analysis System for complete scan results and reputation results.

 

Workaround

Blacklist the file on the Content Analysis System, or setup a Deny from the ICAP client, presumably a ProxySG appliance.