Configuring Malicious URL Detection and File Reputation Detection
If malicious URL detection and file reputation detection are configured, the device matches traffic against cached malicious URL and malicious file entries. If the traffic matches a malicious URL, the device blocks the traffic. If the traffic matches a malicious file, the device performs the specified action. In either way, the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL or malicious file, the traffic is sent to the sandbox for inspection.
Context
- File reputation detection. The protocol type, direction, and default action are listed in the following table.
Table 1 Protocol type, direction, and default action of inspected files Protocol
File Detection in the Upload Direction
File Detection in the Download Direction
Default Action
HTTP
Enable
Enable
Block
HTTPS
Enable
Enable
Block
FTP
Enable
Enable
Block
SMTP
Enable
-
Alert
POP3
-
Enable
Alert
IMAP
Enable
Enable
Alert
NFS
Enable
Enable
Alert
SMB
Enable
Enable
Block
Sandbox detection. The following table lists sandbox detection parameters.
Table 2 Sandbox detection parameters Protocol
Sandbox Inspection in the Upload Direction
Sandbox Inspection in the Download Direction
HTTP
Enable
Enable
HTTPS
Enable
Enable
FTP
Enable
Enable
SMTP
Enable
-
POP3
-
Enable
IMAP
Enable
Enable
NFS
Enable
Enable
SMB
Enable
Enable
File Type: BAT, CLASS, PE32, MSI, HLP, JAR, DOC, RTF, XLS, PPT, PDF, SWF, VBS, DOCX, PPTX, XLSX, WPS, DPS, ET, RAR, ZIP, GZ, 7Z, CAB, BZIP2, TAR, EML, ELF, MSP, VSD, APK, MST.
Sandbox Type: Cloud sandbox.
You can run the display profile type aapt name default command on the CLI to view the configuration information about the default profile.
The FW supports user-defined APT defense profiles. You can configure the preceding functions and parameters as required.
Procedure
- Add the APT defense profile.
Configure the description of the APT defense profile in the APT defense profile view.
description description
A description helps identify the function of a specific profile.
- Configure malicious URL detection.
Enable malicious URL detection.
When this function is enabled, the device matches traffic against cached malicious URLs. If the traffic matches a malicious URL, the device blocks the URL, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious URL, the traffic is sent to the sandbox for inspection. The malicious URLs cached in the device are generated based on the inspection results of the sandbox.
- Optional: Configure a timeout period for malicious URL entries.
Run the url-filter malicious cache aging-period aging-period-time command in system view to configure the timeout period for malicious URLs.
When the timeout period of a malicious URL entry expires, the malicious URL entry is automatically deleted. The default timeout period of malicious URL entries is 10080 minutes.
- Configure file reputation detection.
Enable file reputation detection.
By default, file reputation detection is disabled.
When this function is enabled, the device matches traffic against cached malicious files. If the traffic matches a malicious file, the device performs the specified action, and the traffic does not need to be sent to the sandbox for inspection. If the traffic does not match a malicious file, the traffic is sent to the sandbox for inspection. The sources of file reputation include:- Malicious files detected by the sandbox
- Malicious files in the file reputation databases, including the file reputation signature database and file reputation hotspot database. For details about how to update the file reputation databases, see Updating File Reputation Databases
- Import or export the MD5 list.
- Malicious files in the local reputation database on the HiSec Insight. For details about how to update the local reputation database, see Updating Local Reputation Using the CLI.
To ensure the performance of file reputation detection, file reputation detection is performed only to PE, OFFICE, and PDF files. You can use file-reputation all-file-type enable command to enable file reputation detection for all file types. However, file reputation detection performance deteriorates when this function is enabled. By default, global file reputation detection is disabled.
You can also run the file-reputation threat-level { high-risk | middle-risk | low-risk } command in the system view to configure the file threat level at which file reputation detection is triggered to block files or generate an alarm. By default, file reputation detection blocks files whose sandbox detection result is high-risk or above in the cache or generates an alarm for such files. To improve the detection rate of file reputation detection, set the threat level to middle-risk or low-risk. This command is a global configuration and takes effect on all APT defense profiles.
- Optional: Configure the protocol and direction for file inspection and the action for detected malicious files. The protocol and direction are used for file matching, and the action determines how to handle malicious files.
Protocol
Traffic Direction and Action Configuration Command
HTTP
http-detect direction { both | download | upload } [ action { alert | block } ]
By default, file reputation detection is enabled for HTTP in both the upload and download directions, and the action is block.
HTTPS
https-detect direction { both | download | upload } [ action { alert | block } ]
By default, file reputation detection is enabled for HTTPS in both the upload and download directions, and the action is block.
FTP
ftp-detect direction { both | download | upload } [ action { alert | block } ]
By default, file reputation detection is enabled for FTP in both the upload and download directions, and the action is block.
SMTP
smtp-detect [ action { alert | declare | delete-attachment } ]
By default, file reputation detection is enabled for SMTP, and the action is alert. SMTP applies to only the upload direction.
POP3
pop3-detect [ action { alert | declare | delete-attachment } ]
By default, file reputation detection is enabled for POP3, and the action is alert. POP3 applies to only the download direction.
IMAP
imap-detect direction { both | download | upload } [ action { alert | declare | delete-attachment } ]
By default, file reputation detection is enabled for IMAP in both the upload and download directions, and the action is alert.
NFS
nfs-detect direction { both | download | upload }
By default, file reputation detection is enabled for NFS in both the upload and download directions. Only the alert action applies to NFS.
SMB
smb-detect direction { both | download | upload } [ action { alert | block } ]
By default, file reputation detection is enabled for SMB in both the upload and download directions, and the action is block.
In addition, you can perform the following configurations in the system view:Set the aging time for the dynamically cached file reputation entries.
file-reputation set aging-time aging-time
After the aging time expires, the cached malicious file entries are automatically deleted. The default aging time for file reputation entries is 24 hours.
Configure file reputation exceptions.
file-reputation exception hash hash
By default, no file reputation exception is configured.
If you consider that a malicious file is false positive or you want to permit a file, you can run the file-reputation exception hash command to configure the hash value (currently the MD5 value) of the file as a file reputation exception. File reputation exceptions take precedence over file reputation detection. If the FW detects a malicious file and the malicious file matches a file reputation exception, the file is still permitted.
- Reference the APT defense profile in security policies.
profile aapt name