search cancel

WSS Malware Services Not Functioning as Expected

book

Article ID: 215509

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS is enabled with advanced malware license but Malware and risky files are not being blocked when accessed through WSS.

No error are reported downloading malware files via WSS, however downloaded malware files are caught by on-device Antivirus.

Cause

Management center policy is missing the needed configuration item to handle requests that need to be checked via malware/Content analysis service

Environment

Management Center used to configure WSS

Applies to all access methods.

Resolution

Add Management Center/UPE policies to send traffic into Content Analysis servers. To do this

1. Create a new Content Analysis ICAP object on your local reference proxy server

  • Make sure it is named ProxyAV
  • Service URL is a dummy IP address (WSS will remove this later on when policy compiled there)
  • Enable Threat Protection as service type
  • Make sure method supported is response modification

 

2. From the Management Center console

  • Add a new Web Content Layer – CASWebContentLayer in example below

  • Select the exiting Action above and change it to a response analysis action. We need to click NEW and select it from drop down as highlighted below

  • Make sure we reference the ProxyAV threat protection ICAP service configured in the Proxy setup above, and keep everything else default

  • Save the change out and then make sure the enforcement is either Universal or just WSS

If you want to bypass anything from ICAP scanning, you can add it before this in the rule list.

Attachments