Using URL Information for Anti-malware Filtering
URL information is important for achieving accurate results in anti-malware filtering. Particular settings of the filter modules are required to make this information available.
When the Gateway Anti-Malware engine scans files within anti-malware filtering on Web Gateway, it uses available information about the URL of a file to achieve a more reliable result. URL categories and reputation scores are an important part of this information.
As URL filtering on Web Gateway is mainly handled by the URL Filter module (or engine), the Anti-Malware module (or engine), which is the module for anti-malware filtering, requests URL information from the URL Filter module. The URL Filter module retrieves this information from several sources, among them the Global Threat Intelligence system, depending on its settings.
To ensure that suitable information for the scanning process is passed on to the Gateway Anti-Malware engine, options that enable queries to the Global Threat Intelligence system must be configured for the Anti-Malware and URL Filter modules.
Ensure the use of URL information for anti-malware filtering
Ensure that information about URL categories and reputation scores from the Global Threat Intelligence system is made available to the scanning process in anti-malware filtering on Web Gateway.
- Select Policy | Settings.
- Expand all settings that are configured for the Anti-Malware module (engine) and ensure that in the Advanced Settings section, the Provide GTI web and file reputation queries to Skyhigh Security Gateway Anti-Malware option is selected.
- Select Policy | Rule Sets and ensure that the following applies.
- There is a Common Rules rule set with a nested Set URL Filter Internal Settings rule set.
- These rule sets are part of the default rule set system. If they have been deleted or modified, import the default versions of these rule sets from the rule set library.
- The nested Set URL Filter Internal Settings rule set contains the Set URL Filter settings to be used by other filters rule with the URLFilter.SetInternalSettings event.
NOTE: The event settings, which are named Default, are the default settings of the URL Filter module.
- In the Rating Settings section of the event settings, Use online GTI web reputation and categorization services if local ratings yields no result is selected.
NOTE: This option is selected and grayed out by default. It is still enabled as long as the Enable the Dynamic Content Classifier if local ratings yields no result option is selected, which is also true by default.
If you deselect Enable the Dynamic Content Classifier if local ratings yields no result, Use online GTI web reputation and categorization services if local ratings yields no result remains selected, but is no longer grayed out.
- If you have modified any settings options or the rule set system, click Save Changes.