Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1600
Views
0
Helpful
4
Replies

non-functional attachment hash scanning?

nafooesi
Level 1
Level 1

‎06-19-2020 06:19 PM

Hi community!

 

I'm test driving ESA C000V virtual appliance with External Threat Feed (ETF) via a taxii server.

The ETF is configured to scan incoming mail for url reputation and attachment file info.

 

It was successful in the blocking of malicious urls in email.  

However, it did not block attachment that matched malicious sha256 sent by ETF.

 

I noticed that under "security services" -> "advanced malware protection", "File reputation and analysis" is not enabled.

Is this a required feature for attachment scanning? or Am I missing something else?

 

Thanks in advance!

 

 

Labels:
0 Helpful
4 Replies 4

nafooesi
Level 1
Level 1

‎06-20-2020 11:03 AM

I also noticed that only first 1000 urls are used in incoming content scanning.  Additional urls from ETF are not reported when email has them.  Is this a limitation of my trial license / virtual appliance C000V?   What about file attachments?  Can anyone point me to documentation where such limitation is specified?

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to nafooesi

‎06-20-2020 10:23 PM

 

by default, in body ESA can scan 100 unique URL's and in attachment 25 unique URL's.

can increase both values to 1000 in CLI ESA>websecurityadvancedconfig.

 

Note: pre13.5 ESA, there was no max limit in body scan.

0 Helpful

SriramV
Cisco Employee
Cisco Employee

‎06-20-2020 10:15 PM - edited ‎06-20-2020 10:16 PM

For Filehash ETF supports sha256 and md5. 

Enable it in content filter.

 

1. Mail Policies > Incoming/Outgoing Content Filter > Add new Filter > Add Condition > Attachment File Info > External Threat Feeds > Select feed source name

                                                                              > Add action > Strip Attachment by File Info > External Threat Feeds > Select feed source name 

 

2. enable it in Mail Policies > Incoming/Outgoing Mail Policies > Content Filters

0 Helpful

nafooesi
Level 1
Level 1
In response to SriramV

‎06-22-2020 01:00 PM

Hi SriramV,

 

Thanks for the reply.  I have configured the ETF in the incoming content filters with regard to "URL Reputation" and "Attachment File Info".  The threat feed log confirms the downloading of the observables.  However, the detection of malicious URL from the feed seems inconsistent: some urls are detected, but not others.   

 

Is there a way to list or search for the observables that are ingested by ESA from the ETF?  Is there any rules or limitation on the number of urls or the enabling time frame for the data received from ETF?

 

Thanks!

0 Helpful
Customers Also Viewed These Support Documents