File not blocked on the first or subsequent downloads - Malware Prevention - SSP
search cancel

File not blocked on the first or subsequent downloads - Malware Prevention - SSP

book

Article ID: 403693

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention

Issue/Introduction

  • Issue: Clarification on Malware Prevention behavior when files are downloaded.

  • Key Points:

    • On the first attempt, files (e.g., an unknown or first-seen file) are allowed to download since no verdict is present yet; the file is put through pre-execution scanning and simultaneously forwarded for analysis.

    • On subsequent attempts, if the cache now contains a verdict, the file behavior changes: it is blocked if marked as malicious or allowed if marked as benign until the cache (TTL) expires.

    • The Rapid Analysis TTL is currently set to 48 hours (with variations for other verdict types), ensuring periodic re-evaluation to reflect the latest threat information.

Environment

Malware Prevention on SSP 5.0 and above

Cause

First Attempt (File Seen for the First Time)

  • Download Behavior: The file is allowed to be downloaded immediately (i.e., it is not blocked on first sight).

  • Analysis Process:

    • At this stage, no verdict is available from the cache.

    • A pre-execution (pre-delivery) scan is conducted, but obtaining a verdict takes time.

    • Simultaneously, the file is sent for analysis.

Subsequent Attempts

  • If the Cache Now Contains a Verdict:

    • Malicious Verdict: The file is blocked before delivery.

    • Benign Verdict: The file is allowed again without re-analysis until the TTL expires.

  • Caching Mechanism:

    • Verdicts are reused from the cache until the TTL expires or a re-analysis is triggered.

    • This ensures faster and consistent behavior for files that are seen repeatedly.

TTL (Time-to-Live) Details

The current design sets the Rapid Analysis TTL to 48 hours. (Note that this TTL does not apply to all verdict types.) Below is a summary of TTL values for different verdict types:

Why the Short TTL for Rapid Analysis

  • Short TTL ensures that files are re-evaluated regularly, protecting against the latest threats, even if this results in a minor delay on re-downloads of the exact same (hash-identical) malicious file once its cached verdict expires.

  • The design prioritizes speed over depth, with periodic re-evaluation ensuring decisions benefit from updated models and signatures.

Resolution

This is an expected behavior.

Powered by Wolken Software