A report that is generated by Advanced Threat Defense after scanning a web object can be used by Secure Web Gateway to evaluate this object and handle access to it.
When using an existing report, Secure Web Gateway will not trigger a new scanning run on Advanced Threat Defense. If more than one report exists, the latest report is used for evaluation. Hash values are calculated internally on Secure Web Gateway to determine whether a web object is the same as another object, so the same report can be used.
To use an existing scanning report on Secure Web Gateway, you need to implement a rule with the Antimalware.ATD.GetReport property. If the value of this Boolean property is true, it means that a particular web object has been found to have already been scanned by Advanced Threat Defense and a report for this scan has been retrieved.
This report can be made available to other rules, for example, to a rule with the Antimalware.Infected property, which evaluates the report to find out whether an object is infected.
Options for using an existing scanning report
There are several options for using an existing scanning report to handle access to web objects.
- Allow a file when a scanning report shows that it is not infected — There are files that are uploaded manually to Advanced Threat Defense where they are scanned and a report is generated. Secure Web Gateway then allows users to download such a file if a report exists for it and this report shows that the file is not infected.
If a scanning report does not exist for a web object, the Antimalware.ATD.GetReport property can still be used in suitable rules. In these rules, the value of this property is false, as no scanning report was retrieved.
- Allow a file if no scanning report is available and scan this file offline — If no scanning report exists for a file that was requested for downloading, are rule can allow a user to download the file and let an offline scan be performed. After the scanning, a report is generated and forwarded to the administrator of the user's network.
- Block a file if no scanning report is available and scan this file offline — If no scanning report exists for a file that was requested for downloading, a rule can block access to the file and let an offline scan be performed. After the scanning, a report is generated and forwarded to the administrator of the user's network .
Sample rules for using an existing scanning report
There is no preconfigured rule set for using an existing Advanced Threat Defense scanning report in the default rule set system or the rule set library. You can, however, create suitable rules and a rule set for them on your own.
The following sample rules implement the solution that lets files be uploaded manually to Advanced Threat Defense. Downloading a file is allowed if the report that was generated by Advanced Threat Defense shows that the file is not infected.
The name of the rule set might be Use Existing Advanced Threat Defense Scanning Report. It must have the same criteria regarding media types as the Advanced Threat Defense library rule set and apply for all processing cycles.
The rule set should contain the following rules:
- A rule that uses the Antimalware.ATD.GetReport property to retrieve an existing scanning report
- A rule that evaluates files using this report and blocks access if the report shows that they are infected
The rule that retrieves the report might look as follows:
|Allow files that have been scanned before|
|Antimalware.ATD.GetReport equals false –>||Block <BlockedByMATD>||Statistics.Counter.Increment"
The rule blocks access to a file if no report exists for it. In this case, the next rule is not processed. This rule valuates a report. It might look as follows:
|Block infected files|
|Antimalware.Infected <Gateway ATD>
|–> Block <BlockedByMATD>||– Statistics.Counter.Increment
In both rules, a counter records how often files were blocked when Advanced Threat Defense functions were used.