Creating File Rules

Caution

Enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort Restart Traffic Behavior for more information.

Before you begin

If you are configuring rules for malware protection, see Configure File Policies.

Procedure

Step 1

Select Policies > Access Control > Malware & File.

Step 2

Click the edit icon to modify an existing file policy.

Step 3

In the file policy editor, click Add Rule.

Step 4

Select an Application Protocol and Direction of Transfer as described in File Rule Components.

Step 5

Select one or more File Types.

The file types you see depend on the selected application protocol, direction of transfer, and action.

You can filter the list of file types in the following ways:

  • Select one or more File Type Categories, then click All types in selected Categories.

  • Search for a file type by its name or description. For example, type Windows in the Search name and description field to display a list of Microsoft Windows-specific files.

Tip

Hover your pointer over a file type to view its description.

Step 6

Select a file rule Action as described in File Rule Actions, with consideration for File Rule Actions: Evaluation Order.

The actions available to you depend on the licenses you have installed. See License Requirements for File and Malware Policies.

Step 7

Depending on the action you selected, configure options:

  • reset the connection after blocking the file

  • store files that match the rule

  • enable Spero analysis*

  • enable local malware analysis*

  • enable dynamic analysis* and capacity handling

* For information about these options, see File Rule Actions and Malware Protection Options (in File Rule Actions) and its subtopics.

Step 8

Click Add.

Step 9

Click Save to save the policy.

What to do next

  • If you are configuring policies for malware protection, return to Configure File Policies.

  • Deploy configuration changes.