Deep Discovery Analyzer 6.9 Online Help

Collapse AllExpand All
  • account management [1]
  • Activation Code [1]
  • Active Directory Federation Services (AD FS) [1]
  • AD FS [1]
  • administration [1]
    • file passwords [1]
  • Advanced Threat Scan Engine [1] [2]
  • alerts [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
  • API key [1]
  • ATSE [1] [2]
  • average Virtual Analyzer queue time alert [1]
  • C&C list [1]
  • components [1]
  • configuration
    • management console [1]
  • contact management [1]
  • CPU usage alert [1]
  • critical alerts [1] [2]
  • customized alerts and reports [1]
  • dashboard [1] [2]
  • Deep Discovery Malware Pattern [1] [2]
  • detected message alert [1]
  • detection surge alert [1]
  • disk space alert [1]
  • documentation feedback [1]
  • email scanning
    • file passwords [1]
  • exceptions [1]
  • file passwords [1]
  • generated reports [1]
  • getting started
    • management console [1]
  • getting started tasks [1]
  • HTTPS certificate [1]
    • geenrate a certificate signing request [1]
    • import and replace certificate [1]
  • ICAP [1]
    • headers [1]
    • MIME content-types [1]
    • settings [1]
  • ICAP integration [1]
  • identity provider [1]
    • configure [1]
    • federation metadata file [1]
  • image import tool [1]
  • images [1] [2] [3]
  • important alerts [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]
  • import image [1]
  • informational alerts [1]
  • integration with other products [1]
  • IntelliTrap Exception Pattern [1] [2]
  • IntelliTrap Pattern [1] [2]
  • Internet Content Adaptation Protocol (ICAP) [1]
  • license [1]
  • license expiration alert [1]
  • log settings [1]
  • management console [1]
    • navigation [1]
    • session duration [1]
  • management console accounts [1]
  • message delivery alert [1]
  • Network Content Correlation Pattern [1]
  • Network Content Inspection Engine [1]
  • Network Content Inspection Pattern [1]
  • notification parameters [1]
  • OAuth 2.0 [1]
  • Okta [1]
  • on-demand reports [1]
  • preconfiguration console [1]
  • processing surge alert [1]
  • product integration [1]
  • reports [1] [2]
    • on demand [1]
  • report schedules [1]
  • SAML authentication [1]
    • Configuration overview [1]
    • Supported identity providers [1]
  • SAML integration
    • configuring identify provider settings [1]
  • sandbox analysis [1] [2]
  • sandbox error alert [1]
  • sandbox images [1] [2] [3]
  • sandbox instances [1]
  • sandbox management [1]
    • archive passwords [1]
    • images [1]
    • image status [1]
    • network connection [1] [2]
    • Virtual Analyzer status [1]
  • sandbox queue alert [1]
  • Script Analyzer Pattern [1]
  • Security Assertion Markup Language (SAML) [1]
  • service provider [1]
    • certificate [1]
    • metadata file [1]
  • service stopped alert [1]
  • Spyware/Grayware Pattern [1]
  • submissions [1]
  • support
    • resolve issues faster [1]
  • suspicious objects [1]
  • syslog server [1]
  • syslog settings
    • syslog server [1]
  • system maintenance [1]
    • back up tab [1]
      • configuration settings backup [1]
      • data backup [1]
    • cluster tab
    • nodes list [1]
    • restore tab [1]
  • system settings [1]
    • Network Tab [1]
    • Password Policy Tab [1]
    • power off / restart tab [1]
    • Proxy Tab [1]
    • Session Timeout Tab [1]
    • Time Tab [1]
  • tabs [1]
  • third-party licenses [1]
  • TLS [1]
  • tools [1]
  • unreachable relay MTA alert [1]
  • update completed surge [1]
  • update failed alert [1]
  • updates [1]
    • components [1]
    • firmware [1]
    • update settings [1]
  • Virtual Analyzer [1] [2]
    • file passwords [1]
    • image import tool [1]
    • import image [1] [2]
  • Virtual Analyzer Configuration Pattern [1]
  • Virtual Analyzer Sensors [1]
  • watchlist alert [1]
  • widgets [1] [2]
  • YARA rule file

ICAP Pre-scans Parent topic

When ICAP clients send samples to Deep Discovery Analyzer for analysis, Deep Discovery Analyzer performs a pre-scan which compares samples received with known existing threats using the following resources:
  • Advanced Threat Scan Engine (ATSE) for file scans
  • YARA rules
  • Suspicious objects and user-defined suspicious objects lists
  • Predictive Machine Learning engine
  • Web Reputation Services (WRS) for URL scans
  • Deep Discovery Analyzer cache
Depending on the result of the pre-scan, Deep Discovery Analyzer performs the following actions.
Result
Action
If the sample is a known good file / URL
  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.
If the sample does not match any existing record
  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.
  • Deep Discovery Analyzer treats the sample as a submission and sends it to the Submission queue. The sample is not shown on the ICAP Pre-scan tab.
  • Deep Discovery Analyzer adds the sample to the Deep Discovery Analyzer database to benefit later submissions.
Note
Note
If Virtual Analyzer does not support the file type of a submitted sample, Deep Discovery Analyzer does not send the sample to the Submission queue or add to the Deep Discovery Analyzer database.
If the sample matches a known malicious threat
  • Deep Discovery Analyzer reponds with a 403 Forbidden message to the ICAP client.
  • Deep Discovery Analyzer logs the sample and displays sample details on the ICAP Pre-scan tab.
Note
Note
To view the ICAP Pre-scan tab on the Submissions screen, enable the setting in AdministrationIntegrated Products/Services ICAP. This tab is hidden by default.
For details, see ICAP Tab.