ICAP Pre-scans

When ICAP clients send samples to Deep Discovery Analyzer for analysis, Deep Discovery Analyzer performs a pre-scan which compares samples received with known existing threats using the following resources:

Advanced Threat Scan Engine (ATSE) for file scans
YARA rules
Suspicious objects and user-defined suspicious objects lists
Predictive Machine Learning engine
Web Reputation Services (WRS) for URL scans
Deep Discovery Analyzer cache

Depending on the result of the pre-scan, Deep Discovery Analyzer performs the following actions.

Result

Action

If the sample is a known good file / URL

Deep Discovery Analyzer sends the original request as a response back to the ICAP client.

If the sample does not match any existing record

Deep Discovery Analyzer sends the original request as a response back to the ICAP client.
Deep Discovery Analyzer treats the sample as a submission and sends it to the Submission queue. The sample is not shown on the ICAP Pre-scan tab.
Deep Discovery Analyzer adds the sample to the Deep Discovery Analyzer database to benefit later submissions.

Note

If Virtual Analyzer does not support the file type of a submitted sample, Deep Discovery Analyzer does not send the sample to the Submission queue or add to the Deep Discovery Analyzer database.

If the sample matches a known malicious threat

Deep Discovery Analyzer reponds with a 403 Forbidden message to the ICAP client.
Deep Discovery Analyzer logs the sample and displays sample details on the ICAP Pre-scan tab.

Note

To view the ICAP Pre-scan tab on the Submissions screen, enable the setting in Administration → Integrated Products/Services → ICAP. This tab is hidden by default.

For details, see ICAP Tab.

$('#title').html($('meta[name=description]').attr('content'));

ICAP Pre-scans

Note

Note