ICAP Pre-scans Parent topic

When ICAP clients send samples to Deep Discovery Analyzer for analysis, Deep Discovery Analyzer performs a pre-scan which compares samples received with known existing threats using the following resources:
  • Advanced Threat Scan Engine (ATSE) for file scans
  • YARA rules
  • Suspicious objects and user-defined suspicious objects lists
  • Predictive Machine Learning engine
  • Web Reputation Services (WRS) for URL scans
  • Deep Discovery Analyzer cache
Depending on the result of the pre-scan, Deep Discovery Analyzer performs the following actions.
Result
Action
If the sample is a known good file / URL
  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.
If the sample does not match any existing record
  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.
  • Deep Discovery Analyzer treats the sample as a submission and sends it to the Submission queue. The sample is not shown on the ICAP Pre-scan tab.
  • Deep Discovery Analyzer adds the sample to the Deep Discovery Analyzer database to benefit later submissions.
Note
Note
If Virtual Analyzer does not support the file type of a submitted sample, Deep Discovery Analyzer does not send the sample to the Submission queue or add to the Deep Discovery Analyzer database.
If the sample matches a known malicious threat
  • Deep Discovery Analyzer reponds with a 403 Forbidden message to the ICAP client.
  • Deep Discovery Analyzer logs the sample and displays sample details on the ICAP Pre-scan tab.
Note
Note
To view the ICAP Pre-scan tab on the Submissions screen, enable the setting in AdministrationIntegrated Products/Services ICAP. This tab is hidden by default.
For details, see ICAP Tab.