Complete rules of the Advanced Threat Defense rule set

When working with the complete rules of the Advanced Threat Defense rule set, all rules and rule elements of this rule set can be viewed and configured.

Library rule set – Advanced Threat Defense
Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND MediaType.EnsuredTypes at least one in list Advanced Threat Defense Supported Types
Cycles – Responses, Embedded Objects

The rule set criteria specifies that the rule set applies if the following is true:

  • As a result of previous scanning by the anti-malware engines on Web Gateway, the probability that a web object is malicious equals or exceeds 60 percent
  • The media type of the object is on the list of supported types for scanning by Advanced Threat Defense.

The rule set contains the following rules.

Enable progress page
Always –> Continue – Enable Progress Page<Default>
The rule enables an event that lets a page be shown to indicate the progress made when a web object is downloaded to a client.
Upload file to ATD and wait for scanning result
Antimalware.Infected<Gateway ATD> –> Block<Virus Found> – Statistics.Counter.Increment("BlockedByMATD",1)<Default>

The rule uses the Antimalware.Infected property to check whether a web object, for example, a file, is infected by a virus or other malware.

The scanning that is required for this check is performed under the Gateway ATD settings, which means it is carried out by Advanced Threat Defense.

If the object is found to be infected, the process of forwarding the object to the requesting client is blocked and a block message is shown to the user who requested access to the object.
The block action is recorded by the statistics counter.