File Rule Actions

File rules give you granular control over which file types you want to log, block, or scan for malware. Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. To be effective, a file policy must contain one or more rules. You can use separate rules within a file policy to take different actions for different file types, application protocols, or directions of transfer.

File Rule Actions

  • Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission.

  • Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is blocked, and store captured files to the managed device.

  • Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their transmission.

  • Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.

File Rule Action Options

Depending on the action you select, you have different options:

File Rule Action Option

Block Files capable?

Block Malware capable?

Detect Files capable?

Malware Cloud Lookup capable?

Spero Analysis* for MSEXE

no

yes, you can submit executable files

no

yes, you can submit executable files

Dynamic Analysis*

no

yes, you can submit executable files with Unknown file dispositions

no

yes, you can submit executable files with Unknown file dispositions

Capacity Handling

no

yes

no

yes

Local Malware Analysis*

no

yes

no

yes

Reset Connection

yes (recommended)

yes (recommended)

no

no

Store files

yes, you can store all matching file types

yes, you can store file types matching the file dispositions you select

yes, you can store all matching file types

yes, you can store file types matching the file dispositions you select

* For complete information about these options, see Malware Protection Options (in File Rule Actions) and its subtopics.

Caution

Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.