File reputation databases include the file reputation signature database and file reputation hotspot database. Updating file reputation databases in time to keep the threat detection capability and efficiency up-to-date.
If malicious URL detection and file reputation detection are configured, the device matches traffic against cached malicious URL and malicious file entries. If the traffic matches a malicious URL, the device blocks the traffic. If the traffic matches a malicious file, the device performs the specified action. In either way, the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL or malicious file, the traffic is sent to the sandbox for inspection.
After local sandbox inspection is configured, the restored file is sent to the local sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the local sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.
After cloud sandbox inspection is configured, the restored file is sent to the cloud sandbox connected to FW for inspection. The FW periodically obtains file inspection results from the cloud sandbox, updates the cached malicious file and malicious URL lists accordingly. If subsequent traffic matches the malicious file or malicious URL list, the block or alert action is performed to prevent APT attacks.