Advanced and Archive File Inspection Options

The Advanced Settings in the file policy editor has the following general options:

• First Time File Analysis—Select this option to analyze first-seen files while AMP cloud disposition is pending. The file must match a rule configured to perform a malware cloud lookup and Spero, local malware, or dynamic analysis. If you deselect this option, files detected for the first time are marked with an Unknown disposition

• Enable Custom Detection List—Block files on the custom detection list.

• Enable Clean List—If enabled, this policy will allow files that are on the clean list.

• If AMP Cloud disposition is Unknown, override disposition based upon threat score—Select an option:

  • If you select Disabled, the system will not override the disposition provided by the AMP Cloud.

  • If you set a threshold threat score, files with an AMP cloud verdict of Unknown are considered malware if their Dynamic Analysis score is equal to or worse than the threshold.

  • If you select a lower threshold value, you increase the number of files treated as malware. Depending on the action selected in your file policy, this can result in an increase of blocked files.

The Advanced Settings in the file policy editor has the following archive file inspection options:

• Inspect Archives—Enables inspection of the contents of archive files, for archive files as large as the Maximum file size to store advanced access control setting.

• Block Encrypted Archives—Blocks password-protected archives.

• Block Uninspectable Archives—Blocks archive files with contents that the system is unable to inspect for reasons other than encryption. This usually applies to corrupted files, or those that exceed your specified maximum archive depth.

• Max Archive Depth—Blocks nested archive files that exceed the specified depth. The top-level archive file is not considered in this count; depth begins at 1 with the first nested file .