In what order does Content Analysis scan objects?
search cancel

In what order does Content Analysis scan objects?


Article ID: 168841


Updated On:


Content Analysis Software


Content Analysis comes with a number of technologies to scan data for malware. As of version 2.1.1,  this includes:

  • Multiple anti-virus engines
  • Symantec Advanced Machine Learning (AI-based predictive file analysis)
  • Whitelisting (AKA File reputation Service or hash reputation) 
  • Manual white/black lists 
  • Sandboxing (external and on-box)


When a file is received, the work flow for CA 2.1 is as follows (the actual scanning modules involved will depend on the modules that have been enabled)

  1. Content Analysis compares the file details against the manual black and white lists.
    • If the file is blacklisted, it is blocked and the user is notified.
    • If the file is whitelisted, it is allowed without further scanning file reputation
  2. A hash of the file is compared against the cloud-based File Reputation Service, (formerly whitelisting) which returns a reputation score.
    • If the file has a reputation score of 7-10 (malicious), Content Analysis blocks/drops the file.
    • If the file has a reputation score of 2-6 (unknown), it will be scanned by Antivirus and Sandboxing services, if configured.
    • If the file has a reputation score of 1 (trusted), it will be passed to the user without further scanning.
  3. The AML scours files for unique identifying features and converts those features into a numerical value. That value is then run through a proprietary algorithm to produce a score. This score is a predictive indicator of whether the file is malicious or not.
    • If the file's score is above the block threshold, Content Analysis blocks the file.
    • ​​If the file's score is below the block threshold, Content Analysis sends the file to configured AV engines for further scanning..
  4. The file is scanned by the configured anti-virus scanners for known virus signatures.
  • If the file contains malware, the file is blocked and the user receives a deny page with a description of the virus or malware.
  • If no malware is found, it is forwarded to the configured Sandbox appliance(s) for further analysis.
  1. The results of the sandbox analysis are reported to the administrator and shared with Symantec WebPulse.
  • If the file is malicious, the administrator is notified via email (assuming this is enabled)
  1. If the sandbox analysis found the file to be malicious, Content Analysis queries the configured CounterTack Sentinel server (if configured) to determine if any workstations in the network have been infected. That information is then included in the report emailed to the administrator. If Symantec Endpoint Protection Manager (SEPM) is configured, Content Analysis notifies the administrator, providing the option to add the file hash to a blacklist on the SEPM.