ICAP Pre-scans

When ICAP clients send samples to Deep Discovery Analyzer for analysis, Deep Discovery Analyzer performs a pre-scan which compares samples received with known existing threats using the following resources:

  • Advanced Threat Scan Engine (ATSE) for file scans

  • YARA rules

  • Suspicious objects and user-defined suspicious objects lists

  • Predictive Machine Learning engine

  • Web Reputation Services (WRS) for URL scans

  • Deep Discovery Analyzer cache

Depending on the result of the pre-scan, Deep Discovery Analyzer performs the following actions.

Result

Action

If the sample is a known good file / URL

  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.

If the sample does not match any existing record

  • Deep Discovery Analyzer sends the original request as a response back to the ICAP client.

  • Deep Discovery Analyzer treats the sample as a submission and sends it to the Submission queue. The sample is not shown on the ICAP Pre-scan tab.

  • Deep Discovery Analyzer adds the sample to the Deep Discovery Analyzer database to benefit later submissions.

Note:

If Virtual Analyzer does not support the file type of a submitted sample, Deep Discovery Analyzer does not send the sample to the Submission queue or add to the Deep Discovery Analyzer database.

If the sample matches a known malicious threat

  • Deep Discovery Analyzer reponds with a 403 Forbidden message to the ICAP client.

  • Deep Discovery Analyzer logs the sample and displays sample details on the ICAP Pre-scan tab.

Note:

To view the ICAP Pre-scan tab on the Submissions screen, enable the setting in Administration > Integrated Products/Services > ICAP. This tab is hidden by default.

For details, see ICAP-Tab.xml.