Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan_Langle
Participant

Background Vs Hold classification

We are using Background Classification, how long do files usually stay in this classification? Example I have seen the same file almost every day for a month being downloaded, it seems based on the protection details it has been classified, but its still listed as detect.

0 Kudos
1 Reply
Bob_Zimmerman
Advisor

That's what Background does. It lets the file through.

Hold basically proxies the connection, saves the file to the firewall, checks the hash against recent Threat Emulation verdicts, and if it doesn't get one, sends it to Threat Emulation for a verdict. If it's benign, it then lets the traffic through. If it has to wait on Threat Emulation to open the file, it tarpits the connection, sending one byte at a time. Usually, it only has to do this for maybe 15 seconds.

0 Kudos