Configure Offline Advanced Threat Protection
For supported software information, click here.
Antivirus software is typically installed on endpoint machines. When a new malware outbreak occurs, antivirus software vendors update their definition or data file for the antivirus software so that the software detects the new malware. This scenario has the following limitations:
- Because of the volume of malware files and evasion techniques, such as polymorphism, packers, and encryption, signature-based detection of malware is ineffective.
- In case of a malware infection, the impact of the malware is quite significant.
Addressing these scenarios requires real-time, zero-day threat detection that does not require waiting for signature updates to detect and protect against threats.
Versa offline advanced threat protection (ATP) provides advanced detection mechanisms that detect and prevent organizations from zero-day threats. Offline ATP includes the following detection mechanisms:
- Artificial intelligence (AI) and machine learning (ML)
- MITRE ATT&CK framework
- Multiple sandboxes and dynamic analysis
- Multiple antivirus engines
- Reputation-based matches
- Signature-based matches
- Static analysis
You can configure offline ATP in Versa Concerto using sandboxing profiles. Then, in a security policy, you associate a sandboxing profile with the policy action so that the profile is applied to traffic that matches the criteria in the policy. You can also configure ATP for API-based data protection, also known as offline Cloud Access Security Broker (CASB).
When you enable sandboxing, files extracted from matching traffic are submitted to ATP for zero-day threat detection. If offline ATP detects any zero-day malware, policy enforcement actions are taken to alert, block, or remediate the affected devices.
To enable offline ATP in Concerto, you configure ATP profiles to define ATP actions, sandbox rules, and default actions.
Configure ATP Profiles
- Go to Configure > Security Service Edge > Advanced Security > Profiles.
The Profiles screen displays with the Cloud Access Security Broker (CASB) tab selected by default.
- Select Advanced Threat Protection (ATP) in the horizontal menu bar. In the following screen, the Profiles subtab is selected default.
The Profiles screen displays all configured ATP profiles, including built-in profiles. Built-in profiles are predefined in Concerto. You can use them without modification, or you can clone and modify a built-in profile. To use the built-in profiles, SASE needs to be enabled on the tenant, and the tenant needs to have the VSIA solution tier.
- In the horizontal menu bar, you can select one of the following operations.
Operation Description Add Create a new ATP rule. This button is active when no existing rule is selected. Clone Clone the selected ATP rule. When you select this option, the configuration wizard for the rule displays with the Review & Deploy screen selected. You can rename the default name of the cloned rule, if needed, and then click Save.
Delete Delete the selected ATP rule. A popup window similar to the following displays:
Click Yes to delete the ATP rule, or click No to retain the rule.
Refresh Refresh the list of existing profiles. Reference View all references to any SASE object for ATP profiles from other levels of the configuration hierarchy.
For more information, see View References to SASE Profile Objects.Select Columns Customize which columns to display. Click Reset to return to the default column settings.
The options are:
- Number of Sandbox Rules
- ATP Rules
- Click the Global Settings tab to configure global ATP settings. Any modifications you make on this screen are reflected in all ATP rules that use global ATP settings. Enter information for the following fields.
Field Description Unknown File Types Click the slider bar to enable the scanning of unknown file types. By default, this option is disabled. Notifications Select a notification profile. Timeout (Group of Fields) - Timeout Action
Select a timeout action. The options are:
- Allow
- Alert
- Block
- Reject
- Duration to Wait Before Timeout
Enter the amount of time the timeout action lasts, in seconds.
Default: 30 seconds
ATP Actions - Clean
Select the action to take for files with clean file reputations:
- Alert
- Allow
- Block
- Reject
- Suspicious
Select the action to take for files with suspicious file reputations:
- Alert
- Allow
- Block
- Reject
- Malicious
Select the action to take for files with malicious file reputations:
- Alert
- Allow
- Block
- Reject
- Click Save.
- Select the Profiles tab again, and then click the
Add icon to add a new ATP profile. The following screen displays with step 1, ATP Rules selected by default.
- To customize which columns display, click Select Columns, and then click the columns to select or deselect the ones you want to display. Click Reset to return to the default columns settings. The available columns are:
- File Type
- Direction
- Pending Action
- Send to Additional/Advanced ATP Services
- Enabled
- Click the Add icon to configure ATP rules. The Add ATP Rule screen displays, with step 1, Match Criteria, selected by default.
- Select the types of files to detect and analyze. To select all file types, click Select All.
- In the Select Type of File Direction field, select one of the following.
Field Description - Both
Click to select both the download and upload file actions. - Download
Click to select the download file action only. - Upload
Click to select the upload file action only. - Click Next to go to step 2, Actions. You can use the default global ATP action settings, or configure custom settings for the ATP rule.
- To use global ATP settings for the rule, select the Global tab. The default global settings display for ATP Actions, Timeout, and Notification. Note that you can modify the global settings in Step 11b, below.
Field Description Config Choose Global. ATP Actions Displays the configured global ATP actions for Clean, Suspicious, and Malicious files. Timeout Displays the action to take on a file if the sandbox notification times out, and the timeout duration period. Notification Displays the notification profile used for notification settings.
Pending Action Choose which action to take on a file while waiting for the file evaluation from the cloud. The actions are:
- Allow and scan first time
- Block
- Wait until timeout
Send to Additional/Advanced ATP Services Disabled by default. Click the slider bar to send the files to be evaluated by ATP services such as AI/ML, static analysis, multiAV, and dynamic analysis. - To configure ATP custom actions, select the Custom tab, and then enter information for the following fields.
Field Description ATP Actions (Group of Fields) - Clean
Select the action to take when a file is determined to be clean.
- Allow
- Alert
- Block
- Reject
- Suspicious
Select the action to take when a file is determined to be suspicious.
- Allow
- Alert
- Block
- Reject
- Quarantine. If you select this option, also select a profile from the Quarantine Profile drop-down list.
- Malicious
Select the action to take when a file is determined to be malicious.
- Allow
- Alert
- Block
- Reject
- Quarantine. If you select this option, also select a profile from the Quarantine Profile drop-down list.
Timeout (Group of Fields) - Timeout Action
Select a timeout action from the list. The options are:
- Allow
- Alert
- Block
- Reject
- Quarantine Profile
Select the quarantine profile. - Duration to Wait Before Timeout
Number of seconds to wait before timing out. Notifications Select a profile from the Notification Profile drop-down list. Pending Action Choose which action to take on a file until the cloud services determination is made. The actions are:
- Allow and scan first time
- Block
- Wait until timeout
Send to Additional/Advanced ATP Services Disabled by default. Click the slider bar to send the files to be evaluated by ATP services such as AI/ML, static analysis, multiAV, and dynamic analysis.
- To use global ATP settings for the rule, select the Global tab. The default global settings display for ATP Actions, Timeout, and Notification. Note that you can modify the global settings in Step 11b, below.
- Click Next to go to step 3, Review and Submit. Enter information for the following fields.
Field Description Rule Name Enter a name for the ATP rule. Description (Optional) Enter a description for the rule. Rule is Enabled Click the slider bar to enable the rule. - Click Save to save the ATP rule.
Supported Actions for Each Application
| Application | Alert | Quarantine | Block or Delete |
|---|---|---|---|
| IaaS Applications | |||
|
Amazon Web Services (AWS) |
Yes | Yes | Yes |
|
Google cloud Platform (GCP) |
Yes | Yes | Yes |
|
Microsoft Azure Cloud |
Yes | Yes | Yes |
|
Oracle Cloud Infrastructure (OCI) |
Yes | Yes | Yes |
| SaaS Applications | |||
|
Asana |
Yes | Yes | Yes |
|
Box |
Yes | Yes | Yes |
|
Cisco Webex Teams |
Yes | Yes | Yes |
|
Citrix ShareFile |
Yes | Yes | Yes |
|
Confluence |
Yes | Yes | Yes |
|
Dropbox |
Yes | Yes | Yes |
|
Egnyte |
Yes | Yes | Yes |
|
Google Drive |
Yes | Yes | Yes |
|
GitHub |
Yes | Yes | Yes |
|
GitLab |
Yes | Yes | Yes |
|
Gmail |
Yes | Yes | No |
|
Jira |
Yes | Yes | Yes |
|
Microsoft OneDrive |
Yes | Yes | Yes |
|
Microsoft Outlook |
Yes | Yes | Yes |
|
Microsoft SharePoint |
Yes | Yes | Yes |
|
Microsoft Teams |
No | No | No |
|
Microsoft Yammer |
No | No | No |
|
Notion |
Yes | Yes | Yes |
|
Salesforce |
Yes | Yes | Yes |
|
ServiceNow |
Yes | Yes | Yes |
|
Slack |
Yes | Yes | Yes |
|
Trello |
Yes | Yes | Yes |
|
Zendesk |
Yes | Yes | Yes |
|
Zoom |
Yes | Yes | Yes |
Software Release Information
Releases 11.1.1 and later support all content described in this article, except:
- Release 12.2.1 updates the UI screens and procedures and adds two new built-in ATP profiles:
- Exe_and_Common_File_Types_Advanced_Security
- Executables_Advanced_Security.