Configuring Malicious URL Detection and File Reputation Detection

If malicious URL detection and file reputation detection are configured, the device matches traffic against cached malicious URL and malicious file entries. If the traffic matches a malicious URL, the device blocks the traffic. If the traffic matches a malicious file, the device performs the specified action. In either way, the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL or malicious file, the traffic is sent to the sandbox for inspection.

Context

The FW has a default APT defense profile named default. You cannot modify or delete the default profile. The following functions are enabled in the default profile:

Malicious URL detection.

File reputation detection. The protocol type, direction, and default action are listed in the following table.

**Table 1** Protocol type, direction, and default action of inspected files
Protocol	File Detection in the Upload Direction	File Detection in the Download Direction	Default Action
HTTP	Enable	Enable	Block
HTTPS	Enable	Enable	Block
FTP	Enable	Enable	Block
SMTP	Enable	-	Alert
POP3	-	Enable	Alert
IMAP	Enable	Enable	Alert
NFS	Enable	Enable	Alert
SMB	Enable	Enable	Block

Sandbox detection. The following table lists sandbox detection parameters.

**Table 2** Sandbox detection parameters
Protocol	Sandbox Inspection in the Upload Direction	Sandbox Inspection in the Download Direction
HTTP	Enable	Enable
HTTPS	Enable	Enable
FTP	Enable	Enable
SMTP	Enable	-
POP3	-	Enable
IMAP	Enable	Enable
NFS	Enable	Enable
SMB	Enable	Enable
File Type: BAT, CLASS, PE32, MSI, HLP, JAR, DOC, RTF, XLS, PPT, PDF, SWF, VBS, DOCX, PPTX, XLSX, WPS, DPS, ET, RAR, ZIP, GZ, 7Z, CAB, BZIP2, TAR, EML, ELF, MSP, VSD, APK, MST. Sandbox Type: Cloud sandbox.

The FW supports user-defined APT defense profiles. You can configure the preceding functions and parameters as required.

Procedure

Add the APT defense profile.
1. Choose Object > Security Profiles > APT Defense.
2. Click Add in the APT Defense Profile List page.
3. Configure the name and description of the APT defense profile.
  
  Parameter
  
  Description
  
  Name
  
  Name of the APT defense profile.
  
  Description
  
  Description of the APT defense profile.
  
  A description helps identify the function of a specific profile.
Configure malicious URL detection.
1. Enable malicious URL detection.
  
  Select Enable to enable malicious URL detection. Malicious URL detection is disabled by default.
  
  When this function is enabled, the device matches traffic against cached malicious URLs. If the traffic matches a malicious URL, the device blocks the URL, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL, the traffic is sent to the sandbox for inspection. The malicious URLs cached in the device are generated based on the inspection results of the sandbox.
2. Optional: Configure a timeout period for malicious URL entries.
  1. Choose Object > Security Profiles > URL Filtering.
  2. Click Configure. The timeout period configuration dialog box is displayed.
  3. Click OK.
  When the timeout period of a malicious URL entry expires, the malicious URL entry is automatically deleted. The default timeout period of malicious URL entries is 10080 minutes.

Parameter	Description
Name	Name of the APT defense profile.
Description	Description of the APT defense profile. A description helps identify the function of a specific profile.

Configure file reputation detection.

Enable file reputation detection.

Select Enable to enable file reputation detection. By default, file reputation detection is disabled.
When this function is enabled, the device matches traffic against cached malicious files. If the traffic matches a malicious file, the device performs the specified action, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious file, the traffic is sent to the sandbox for inspection. The malicious files cached in the device may come from the following sources:
- Malicious files detected by the sandbox
- Malicious files in the file reputation databases, including the file reputation signature database and file reputation hotspot database. For details about how to update the file reputation databases, see Updating File Reputation Databases
- Import or export the MD5 list.
- Malicious files in the local reputation database on the HiSec Insight. For details about how to update the local reputation database, see Updating Local Reputation Using the Web UI.
- Malicious files obtained from a remote reputation server
To ensure the performance of file reputation detection, file reputation detection is performed only to PE, OFFICE, and PDF files after the file reputation detection function is enabled. To inspect all types of files, you must enable the corresponding function. However, file reputation detection performance deteriorates when this function is enabled. Choose Object > Security Profiles > APT Defense > Advanced Settings, select Enable to inspect all types of files. By default, global file reputation detection is disabled.

Optional: Configure the protocol and direction for file inspection and the action for detected malicious files. The protocol and direction are used for file matching, and the action determines how to handle malicious files.

Parameter	Description
Protocol	Supported protocols are as follows: File transfer protocols HTTP HTTPS FTP Mail protocols SMTP POP3 IMAP File sharing protocols NFS SMB
Upload	Upload traffic is inspected.
Download	Download traffic is inspected.
Action	Action to be performed for a detected malicious file, which can be one of the following: Alert: The device permits the malicious file and generates a log. Block: The device denies the malicious file and generates a log. Declare: The device permits the infected email message, generates a log, and adds information to the email body to announce the detection of threats. This action applies only to SMTP, POP3, and IMAP. Delete Attachment: The device deletes malicious attachments in the infected email message, permits the message, generates a log, and adds information to the email body to announce the detection of threats and deletion of attachments. This action applies only to SMTP, POP3, and IMAP.

Optional: Set the aging time for the dynamically cached file reputation entries.
1. Choose Object > Security Profiles > APT Defense.
2. In the File Reputation Settings under Advanced Settings, set the aging time for the dynamically cached file reputation entries.
  
  After the aging time expires, malicious file entries are automatically deleted. The default aging time for the dynamically cached file reputation entries is 24 hours.
3. Click Apply.
Optional: Configure file reputation exceptions.
Choose Object > Security Profiles > APT Defense and configure file reputation exceptions in Advanced Settings. Enter a file hash value (currently an MD5 value) in the text box on the File Reputation Exception page and click Add to set the file reputation exception. Another method is to choose Monitor > Log > Sandbox Detection Log and click the File MD5 value to configure it as a file reputation exception.

By default, no file reputation exception is configured.

If you consider that a malicious file is a false positive or you want to permit a file, you can configure the hash value (currently the MD5 value) of the file as a file reputation exception. File reputation exceptions take precedence over file reputation detection. If the FW detects a malicious file and the malicious file matches a file reputation exception, the file is still permitted.

Click OK.
Reference the APT defense profile in security policies.
1. Choose Policy > Security Policy > Security Policy.
2. Select an APT defense profile for the target policy. For details on how to configure security policies, see Configuring a Security Policy Using the Web UI.
3. Click OK.

Import or export the MD5 list.

MD5 data is used for file reputation detection. Based on the imported MD5 data, users can increase the matching rate of file reputation detection. The imported MD5 list will be saved in the device cache. After the file reputation detection function is enabled, the device calculates the MD5 value of a file to be detected, and matches it against the MD5 list in the device cache. If a match is found, the device processes the file according to the action in the file reputation detection.

Choose Object > Security Profiles > APT Defense > APT Defense Profile List.
Click Import MD5 List. In the window that is displayed, click Browse and select the TXT file to be imported.

You can import the MD5 list by using the TXT template on the web UI or a locally created TXT file. When editing the TXT file, you can enter only one MD5 value in each line. The value consists of 32 digits and each of the digits must be 0-9/A-F. The value must end with line break \r\n.
Click Import.
To modify MD5 data, click Export MD5 List to download the TXT file to the local device.

The exported TXT file cannot contain the MD5 data sent by the sandbox and contains only MD5 data manually imported through the TXT file. After editing the TXT file locally, click Import MD5 List. The newly imported MD5 data automatically overwrites the original data.