WSS Malware Services Not Functioning as Expected
search cancel

WSS Malware Services Not Functioning as Expected


Article ID: 215509


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS is enabled with advanced malware license but Malware and risky files are not being blocked when accessed through WSS.

No error are reported downloading malware files via WSS, however downloaded malware files are caught by on-device Antivirus.


Management Center used to configure Cloud SWG (Formerly WSS) Policy

Applies to all access methods.


Management center policy is missing the needed configuration item to handle requests that need to be checked via malware/Content analysis service


Add Management Center/UPE policies to send traffic into Content Analysis servers. To do this

1. Create a new Content Analysis ICAP object on your local reference proxy server

  • Make sure it is named ProxyAV
  • Service URL is a dummy IP address (WSS will remove this later on when policy compiled there)
  • Enable Threat Protection as service type
  • Make sure method supported is response modification


2. From the Management Center console

  • Add a new Web Content Layer – CASWebContentLayer in example below

  • Select the exiting Action above and change it to a response analysis action. We need to click NEW and select it from drop down as highlighted below

  • Make sure we reference the ProxyAV threat protection ICAP service configured in the Proxy setup above, and keep everything else default

  • Save the change out and then make sure the enforcement is either Universal or just WSS

If you want to bypass anything from ICAP scanning, you can add it before this in the rule list.