updated Content Analysis Best Practice template
Article ID: 262967
Updated On:
Products
Issue/Introduction
updated Content Analysis Best Practice template
Environment
Release : 7.3.12.1
Resolution
For the updated Content Analysis Best Practice template, please see the full template attached. We have shared the template for the recommended "Medium Security Profile" below. This template was updated in October, 2020 and utilizes updated scripts, response.header.Content-Types, web applications, etc.
; ###################################################
; # Condition Definitions - MEDIUM SECURITY PROFILE #
; ###################################################
; In SGOS 7.x versions or later, Policy Services will provide these condition definitions
#if release.version=..7.0
; Must-Scan Destinations (URLs, Apps, Categories, Risk-Levels)
; The following destinations will be scanned,
; even if excluded they would be excluded by later rules,
; e.g. by Threat Risk Level, File-Type, URL, URL category
define condition Must_Scan_Destinations_Level_Medium
; Must-Scan URL/Domains
; This is needed to get the EICAR test working (eicar.org is rated as URL risk level 2)
url.domain=eicar.org
; Must-Scan Categories
url.category=("File Storage/Sharing", Email, Suspicious, Placeholders, \
"Malicious Outbound Data/Botnets", "Malicious Sources/Malnets", \
"Scam/Questionable Legality", Spam, Phishing, "Potentially Unwanted Software", \
"Compromised Sites", none)
; Must-Scan Apps
request.application.name=(Dropbox, Box, "Office 365 OneDrive")
; Must-Scan App Groups (requires SGOS 6.7.2)
; request.application.group=("File Sharing", Email)
; Must-Scan Risk Levels (default: must-scan RL 5 or higher)
url.threat_risk.level=5..10
end condition Must_Scan_Destinations_Level_Medium
; Web Application by Name
define condition Web_Apps_No_ICAP_Level_Medium
request.application.name="Microsoft Update"
request.application.name="Symantec Live Update"
request.application.name="Apple Update"
; Further Examples
; request.application.name="YouTube"
; request.application.name="Vimeo"
; request.application.name="Facebook"
end condition Web_Apps_No_ICAP_Level_Medium
; Web Application by Group
; This requires a CASB Audit App Feed subscription and SGOS 6.7.2 or higher)
define condition Web_Groups_No_ICAP_Level_Medium
; request.application.group="Collaboration"
end condition Web_Groups_No_ICAP_Level_Medium
; URLs Bypass - Custom Defined List
; Note: If URL rewriting is used, use server_url.domain instead of url.domain
; which reflects the actual URL after a rewrite. See CPL guide for more details.
define url.domain condition URL_No_ICAP_Level_Medium
; Examples below - Add URL Domains or URL Host entries to bypass them from scanning
; youtube.com ; High-Volume Traffic
; googlevideo.com ; High-Volume Traffic
; pandora.com ; Radio Streaming Example
;
; Stock Ticker / Finance Applications
streamerapi.finance.yahoo.com
stream.aol.com
finance.google.com
;
; AV Update Domains
liveupdate.symantec.com
symantecliveupdate.com
download.trendmicro.com
pattern.download.antivirus.com
download.antivirus.com
download.nai.com
update.nai.com
end condition URL_No_ICAP_Level_Medium
; URL Category
define condition URL_Category_No_ICAP_Level_Medium
url.category="Radio/Audio Streams"
url.category="Audio/Video Clips"
url.category="TV/Video Streams"
end condition URL_Category_No_ICAP_Level_Medium
; URL Threat Risk Level
; This requires a Intelligence Service - Advanced Subscription
define condition URL_Risk_Level_No_ICAP_Level_Medium
; Adapt to your needs
; Example: url.threat_risk.level=1..3 => URL Threat Risk Level 1/2/3
url.threat_risk.level=1..2
end condition URL_Risk_Level_No_ICAP_Level_Medium
; Detected Native Streaming and HTTP Streaming protocol traffic
; Adobe HDS, Apple HLS, Microsoft Smooth, Quicktime, Realmedia, Windows Media
define condition Streaming_Clients_No_ICAP_Level_Medium
streaming.client=windows_media
streaming.client=real_media
streaming.client=quicktime
streaming.client=ms_smooth
streaming.client=adobe_hds
streaming.client=apple_hls
; To exclude all streaming clients comment out the above and uncomment the line below
; streaming.client=yes
end condition Streaming_Clients_No_ICAP_Level_Medium
; Image File Types
define condition File_Types_No_ICAP_Level_Medium
http.response.apparent_data_type=(gif,jpeg,png,tif)
http.response.data.4.regex="^\x00\x00\x01\x00" ;ICO Files
end condition condition File_Types_No_ICAP_Level_Medium
; WEAK policy conditions below
; These are not active by default
; Content Types (a.k.a. MIME Type)
; WARNING: Content Types can be easily faked by an attacker
; Examples for video/audio/streaming types below
define condition Content_Type_No_ICAP_Level_Medium
; response.header.Content-Type="video/"
; response.header.Content-Type="application/streamingmedia"
; response.header.Content-Type="application/x-streamingmedia"
; response.header.Content-Type="application/vnd.rn"
; response.header.Content-Type="application/ogg"
; response.header.Content-Type="application/x-ogg"
; response.header.Content-Type="audio/"
; response.header.Content-Type="multipart/x-mixed-replace"
end condition Content_Type_No_ICAP_Level_Medium
; File Extensions
; WARNING: File Extensions can be easily faked by an attacker
; Examples for multimedia file extensions are ASX, MP3, QT, WAV, WMV, MPEG, MOV, FLV, SWF
define condition File_Extensions_No_ICAP_Level_Medium
; url.extension=MP3
end condition File_Extensions_No_ICAP_Level_Medium
; Content-Length Header
; WARNING: Content-Length headers can be easily faked by an attacker
; This condition will match if the content length is greater than
; 99,999,999 bytes, or no content length is provided.
define condition Content_Length_No_ICAP_Level_Medium
; response.header.Content-Length=!""
; response.header.Content-Length=!"^[0-9]{1,8}$"
end condition Content_Length_No_ICAP_Level_Medium
; User Agents
; WARNING: User-Agent Types can be under control of an attacker
define condition User_Agents_No_ICAP_Level_Medium
; request.header.User-Agent="Winamp"
; request.header.User-Agent="NSPlayer"
; request.header.User-Agent="RMA"
; request.header.User-Agent="ultravox"
; request.header.User-Agent="itunes"
; request.header.User-Agent="forest"
; request.header.User-Agent="Scottrader"
; request.header.User-Agent="SVN"
end condition User_Agents_No_ICAP_Level_Medium
#endif
Concerning the Content-Length Header, please see the below.
; Content-Length Header
; WARNING: Content-Length headers can be easily faked by an attacker
; This condition will match if the content length is greater than
; 99,999,999 bytes, or no content length is provided.
define condition Content_Length_No_ICAP_Level_Medium
; response.header.Content-Length=!""
; response.header.Content-Length=!"^[0-9]{1,8}$"
end condition Content_Length_No_ICAP_Level_Medium
For the above, please note that the template adopts the documented, Maximum File Size Limit of 100MB.
Caution If your ICAP Best Practice template currently reflects the documented Maximum File Size Limit of 100MB, if you have higher Maximum File Size Limit configured in the CAS AV Scanning behavior, matching this valued in the ICAP Best Practice template would impact performance adversely.
Note: It is highly recommended to exclude streaming applications from scanning, particularly because they take unending periods for Reading and will cause major performance bottlenecks. Utilize the Best Practice template shared below, to exclude the streaming applications from scanning.
- Fine tune your already implemented ICAP best practice, following the guidance detailed in the documentation:
-
- Perform tasks to increase Content Analysis performance when it receives objects with infinite endings. See the implementation details in the Tech. Article with URL: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/sg-introduction/best_practices/conserve_scanning_resources.html
The ICAP best practice guide recommends to exclude the "define condition Web_Apps_No_ICAP_Level_Medium" condition, alongside other specifically defined conditions, from content scanning.
You may, additionally, consider tuning the current ICTM settings, to better improve the time these connections stay queued in CAS. We also agreed that Technical Support would engage internally, to understand whether there are any particular best practice ICTM settings that could be used for connections linked with web applications like Facebook, where the customer decides to still scan them.
For ICTM, please note the following.
Intelligent Connection Traffic Monitoring (ICTM) monitors connections between the Edge SWG appliance and Content Analysis. If connections take longer to complete than expected (such as with infinite stream data, like stock tickers or internet radio), ICTM drops the connection to keep resources available for scanning other objects.
When ICTM is enabled, the system checks for slow downloads and compares the number of concurrent slow ICAP connections to the Warning and critical thresholds. If the warning threshold is reached, Content Analysis notifies the administrator of the dropped URLs (through an e-mail or SNMP trap if the option is selected). You can use this information to create policy on the Edge SWG appliance to ignore these URLs or URL categories in the future.
If the critical threshold is reached, Content Analysis terminates the oldest, slowest connections so that the level below the threshold is maintained.
Additional docs.:
Note: ICTM settings are flexible and may be configured as it best optimizes the ICAP connections for the deployment. There are no fixed settings. It's designed to flexible.
For the Content Analysis Best Practice Improvement guide, refer to the resource doc. with the URL below.
Feedback
