You can integrate TIE server information with anti-malware filtering on Web Gateway, using this information in filtering rules and notifying the TIE server of critical scanning results found on Web Gateway.
A rule set is available in the library to implement this integrated filtering, providing several rules in addition to the rules in the Gateway Anti-Malware default rule set.
The additional rules integrate anti-malware filtering as performed by the filtering functions that are available on Web Gateway with information retrieved from a TIE server. The TIE server is in turn notified of critical filtering results found on Web Gateway.
NOTE: The integrated filtering is only applied to files with media type Executables.
DXL messages are used to exchange information between Web Gateway and the TIE server. As parts of the DXL architecture are managed by an EPO server, Web Gateway must also be configured to connect to this administration device.
Property and event for exchanging information with a TIE server
The following property and event can be used in rules that handle information exchange with a TIE server.
- TIE.Filereputation — The value of this property is set to the reputation score that is queried and retrieved from a TIE server for a particular file.
Processing of the property is performed by the TIE Filter module, which runs with particular settings.
- TIE: Report file reputation — This event sends a file reputation score to a TIE server. The score is based on the malware probability that the Gateway Anti-Malware (GAM) engine on Web Gateway finds after scanning a file.
Scores are sent according to the scale of values used on a TIE server, corresponding to ranges of probability grades. For example, for a malware probability between 60 and 80, 30 is sent as a score to the TIE server.
Sample rule for using file reputation retrieved from a TIE server
The following sample rule uses TIE.Filereputation property to find out whether the reputation of a file that is processed on Web Gateway remains below a particular value. Information about the file reputation is retrieved from a TIE server.
If the file reputation actually remains below the configured value, an action is executed to block access to the file.
The blocking action runs with particular settings, which you can configure to provide a message to inform the user who requested the file about the blocking reason.
Name Block after retrieving information about bad reputation from a TIE server Criteria Action TIE.Filereputation less than or equals 30 –> Block<TIE Reputation>
Sample rule for reporting file reputation to a TIE server
The following sample rule uses the TIE: Report file reputation event to send a file reputation score to a TIE server.
The score is based on the malware probability for a file that is processed on Web Gateway. The Antimalware.Infected and Antimalware.Proactive.Probability are used to find out about this probability.
If the probability exceeds the configured value, an action is executed to block access to the file. The TIE: Report file reputation event then sends a reputation score to a TIE server, which is based on the found probability range.
Name Send information about file reputation to a TIE server Criteria Action Event Antimalware.Infected<Gateway Anti-Malware with TIE> equals true AND –> Block<Virus TIE: Report File Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or Found> Reputation (1) equals 90