Complete rules of the ATD - Offline Scanning with Immediate File Availability rule set

When working with the complete rules of the ATD - Offline Scanning with Immediate File Availability rule set, all rules and rule elements of this rule set can be viewed and configured.

After importing this rule set, the following two rule sets are implemented and appear on the rule sets tree:

  • ATD - Init Offline Scan
  • ATD - Handle Offline Scan

A rule set with the name ATD - Offline Scanning with Immediate File Availability is not implemented.

ATD - Init Offline Scan

This rule set initiates the additional scanning by Advanced Threat Defense.

Library rule set – ATD - Init Offline Scan
Criteria – Antimalware.Proactive.Probability<Gateway Anti-Malware> greater than or equals 60 AND MediaType.EnsuredTypes at least one in list Advanced Threat Defense Supported Types AND Body.Size less than 30000000
Cycles – Responses, Embedded Objects

The rule set criteria specifies that the rule set applies if the following is true:

  • As a result of previous scanning by Web Gateway, the probability that a web object is malicious equals or exceeds 60 percent.
  • The media type of the object is on the list of supported types for scanning by Advanced Threat Defense.
  • The web object does not exceed a particular size.

The rule set contains the following rule.

Offline scanning with immediate file availability
Antimalware.MATD.InitBackgroundScan(5) equals false –> Block<ATD Communication Failed>

When this rule is processed, all data related to the request for web access that has been sent to Web Gateway is recorded, including the response that was received from the requested web server. The response usually includes in its body the requested web object, for example, a file. The body with the web object is stored on Web Gateway.

An internal request is also created within Web Gateway to initiate the scanning by Advanced Threat Defense. Web Gateway then waits for an answer to this internal request to see whether the request is accepted and the scanning will be performed.

The time that Web Gateway waits for this answer is measured in seconds and a parameter of the Antimalware.MATD.InitBackgroundScan property. By default, this time is 5 seconds. You can configure this time by editing the property parameter.

If no answer to the internal request is received within the configured time, the property is set to false, so this criteria matches and the rule applies. A message is then sent to inform the administrator that the additional scanning by Advanced Threat Defense could not be executed.

If the answer is received within the configured time, the web object is forwarded to the user.

Further handling of the additional scanning is performed by the next rule set..

Library rule set – ATD - Handle Offline Scan
Criteria – Antimalware.MATD.IsBackgroundScan equals true
Cycles – Requests, Embedded Objects

The rule set criteria specifies that the rule set applies if the value of the Antimalware.MATD.IsBackgroundScan is true.

It is true if the additional scanning by Advanced Threat Defense has successfully been initiated by the rule in the preceding rule set . In this case, the data that was recorded and stored by this rule is used by Advanced Threat Defense to scan a requested web object.

The rule set contains the following rules.

Upload file to ATD and wait for scanning result
Antimalware.Infected<Gateway ATD> equals true –> Continue – Statistics.Counter.Increment("BlockedByMATD",1)<Default>

The rule uses the Antimalware.Infected property to check whether a web object, for example, a file, is infected by a virus or other malware. The scanning that is required for this check is performed under the Gateway ATD settings, which means it is carried out by Advanced Threat Defense.

For this purpose, the previously stored web object is forwarded from Web Gateway to Advanced Threat Defense.

If the scanning result is that the web object is infected, this is recorded by a statistics counter.
Offline scanning with immediate file availability

Antimalware.Infected<Gateway ATD> equals true –> Block<Virus Found> – Set User-Defined.MessageText =

"Client.IP: "

+ IP.ToString(Client.IP)

+ "Requested URL: "

+ URL

+ "Virus name: "

+ ListOfString.ToString (Antimalware.VirusNames<Gateway.ATD>, ","

Email.Send ("Administrator@", "MATD offline scan detected a virus", User-Defined.MessageText)<Default>

When the rule is processed, it is checked whether the value of the Antimalware.Infected property is true.

If it is, it means the scanning that was performed by Advanced Threat Defense has found a web object to be infected by a virus or other malware.

A warning message is then created and sent to the administrator for the network of the user who sent the request to access the web object. The message contains information on the request that was recorded by the rule of the preceding rule set.

Stop cycle
Always –> Stop Cycle
This rule stops the processing cycle. It is always executed after the preceding rules have been processed.