06-19-2020 06:19 PM
Hi community!
I'm test driving ESA C000V virtual appliance with External Threat Feed (ETF) via a taxii server.
The ETF is configured to scan incoming mail for url reputation and attachment file info.
It was successful in the blocking of malicious urls in email.
However, it did not block attachment that matched malicious sha256 sent by ETF.
I noticed that under "security services" -> "advanced malware protection", "File reputation and analysis" is not enabled.
Is this a required feature for attachment scanning? or Am I missing something else?
Thanks in advance!
06-20-2020 11:03 AM
I also noticed that only first 1000 urls are used in incoming content scanning. Additional urls from ETF are not reported when email has them. Is this a limitation of my trial license / virtual appliance C000V? What about file attachments? Can anyone point me to documentation where such limitation is specified?
06-20-2020 10:23 PM
by default, in body ESA can scan 100 unique URL's and in attachment 25 unique URL's.
can increase both values to 1000 in CLI ESA>websecurityadvancedconfig.
Note: pre13.5 ESA, there was no max limit in body scan.
06-20-2020 10:15 PM - edited 06-20-2020 10:16 PM
For Filehash ETF supports sha256 and md5.
Enable it in content filter.
1. Mail Policies > Incoming/Outgoing Content Filter > Add new Filter > Add Condition > Attachment File Info > External Threat Feeds > Select feed source name
> Add action > Strip Attachment by File Info > External Threat Feeds > Select feed source name
2. enable it in Mail Policies > Incoming/Outgoing Mail Policies > Content Filters
06-22-2020 01:00 PM
Hi SriramV,
Thanks for the reply. I have configured the ETF in the incoming content filters with regard to "URL Reputation" and "Attachment File Info". The threat feed log confirms the downloading of the observables. However, the detection of malicious URL from the feed seems inconsistent: some urls are detected, but not others.
Is there a way to list or search for the observables that are ingested by ESA from the ETF? Is there any rules or limitation on the number of urls or the enabling time frame for the data received from ETF?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide