Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Terri_Hawkins
Collaborator

Content Awareness and Threat Extraction/Emulation

Hi all!  I hate to always be the asker but here I go again.

Synopsis - 

Turned on Content Awareness, getting HTTP 206 error, if I turn dlpda_drop_http_206_out_of_range to 0 will the file still go thru Threat Emulation/Threat Extraction

Longer, Detailed Version - 

I have an inline rule in my policy for my 15400, R81, newest take, cluster.  I have never had content awareness enabled, but thought I would give it a try.  I enabled it to see if I could see all the traffic from downloads, I was going to try and stop that activity (but wow, is there a ton of it!). Even though I had it set to allow the traffic (I was just monitoring it), it turned on the content awareness inspection.  

One of the things that must be downloaded is for Microsoft. These are updates we cannot handle using sccm.  They are now being blocked by the Content Awareness blade because they are coming down in blocks of data, so I am getting a 206 message.  I found the fix for that (SK167173 thanks to this community), but it looks like it is an all or nothing global change, so I can't just tell it to allow Microsoft. 

So I have 2 questions, if I set my dlpda_drop_http_206_out_of_range to 0 as instructed, will the download still go thru threat extraction and threat emulation so I don't have to worry (at least as much) about it being malicious? Apparently we were allowing this to go thru before I turned on CA, but I know that does not necessarily mean that was a good idea. I am searching for a document that shows me the order traffic goes thru the blades but so far have not found one.

And, in the SK, it says to consider the connectivity implication if I turn it off.  I have no idea what that means and it was not a link, just a warning.  Do you think they are saying traffic could get lost? Again, since I was allowing it before I am guessing this is not too big a deal.

Any assistance would be greatly appreciated.  Maybe one day I will find a question I can answer too!

terri

 

 

 

 

 

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

Often times, the first portion of the file is used to determine the file type, which is why partial file types might create some issues for Content Awareness.
For Threat Emulation, the entire file must be received before it can be emulated, so it doesn't necessarily matter what order the bits are received in.
Threat Extraction only applies to document types, not EXE-type files.

Samuel_Martins
Explorer

Hi,

What about the connectivity implication as described in the SK?

0 Kudos
PhoneBoy
Admin
Admin

Anytime you change the enforcement of certain HTTP messages (for example the firewall blocking range requests that are out of bounds), there’s a potential for legitimate traffic being blocked as a result.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events