File Rule Components

application protocol

The system can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic. To improve performance, you can restrict file detection to only one of those application protocols on a per-file rule basis.

direction of transfer

You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn (SMB) traffic for downloaded files; you can inspect outgoing FTP, HTTP, SMTP, and NetBIOS-ssn (SMB) traffic for uploaded files.

file categories and types

The system can detect various types of files. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. You can configure file rules that detect individual file types, or on entire categories of file types.

For example, you could block all multimedia files, or just ShockWave Flash (swf) files. Or, you could configure the system to alert you when a user downloads a BitTorrent (torrent) file.

Note that executables include file types that can run macros and scripts, since these can contain malware.

For a list of file types the system can inspect, select Policies > Access Control > Malware & File, create a temporary new file policy, then click Add Rule. Select a file type category and the file types that the system can inspect appear in the File Types list.

file rule action

A file rule’s action determines how the system handles traffic that matches the conditions of the rule.

Depending on the selected action, you can configure whether the system stores the file or performs Spero, local malware, or dynamic analysis on a file. If you select a Block action, you can also configure whether the system also resets the blocked connection.

For descriptions of these actions and options, see File Rule Actions.

File rules are evaluated in rule-action, not numerical, order. For details, see File Rule Actions: Evaluation Order.