Configuring the Cloud Virtual Analyzer and Applying Suspicious Objects

This section provides an example to explain how to configure to submit samples to the Cloud Virtual Analyzer for suspicious object analysis and how to utilize the suspicious objects obtained from the Cloud Virtual Analyzer and Apex Central for threat scanning in TMWS policies.

  1. The admin configures to enable Cloud Virtual Analyzer and Action on Suspicious Objects in Threat Protection and apply it in Cloud Access Rules.
    1. Go to Policies > SECURITY TEMPLATES > Threat Protection, and create a new Threat Protection template or edit an existing one, for example, Threat Protection Template 1, as necessary.
    2. Enable the Cloud Virtual Analyzer in the Advanced Threat Scanning section.
    3. Enable Action on Suspicious Objects, set the action for each suspicious object type upon detection, and then click Save. For details, see Configuring A Threat Protection Template

      The action applies to each enabled suspicious object generated by the Cloud Virtual Analyzer or synchronized from Apex Central.

    4. Go to Policies > Cloud Access Rules, and create a new cloud access rule or edit an existing one, for example, Cloud Access Rule 1, as necessary.
    5. Enable the cloud access rule, configure the Action section and the Security Templates section to select Threat Protection Template 1 configured in the preceding steps, and then click Save. For details, see Configuring A Cloud Access Rule.
    6. Go to Policies > Suspicious Objects and select the suspicious objects to be used by enabling or disabling them as required.
  2. TMWS submits a sample file to the Cloud Virtual Analyzer, which then generates suspicious objects after analysis.
    1. User A that matches Cloud Access Rule 1 uploads, opens, or downloads a file that matches the criteria set in Threat Protection Template 1.
    2. The file is sent as a sample to the Cloud Virtual Analyzer for analysis.
    3. The Cloud Virtual Analyzer generates a blocked list containing suspicious objects derived from the file, and sends it to TMWS, which displays them on the Suspicious Objects screen.
  3. Apex Central automatically synchronizes the latest suspicious objects with TMWS at a scheduled time interval.
  4. TMWS automatically detects access to requested web traffic that contains a suspicious object, and blocks or monitors this web activity.
    1. User B initiates an HTTP/HTTPS request to access web traffic that contains a suspicious object displayed and enabled on the Suspicious Objects screen.
    2. User B matches an enabled cloud access rule, which uses a Threat Protection template with Action on Suspicious Objects configured.
    3. TMWS blocks or monitors this web activity according to the action set in the applied Threat Protection template.