Support Center > Search Results > SecureKnowledge Details
Threat Emulation Early Verdict for Prevent Technical Level
Solution

Table of Contents:

  1. Overview
  2. How to enable / disable the early verdict feature
  3. Examples of Logs
  4. New Public API Interface
  5. Related documentation
  6. Related solutions

 

(1) Overview

The early verdict feature provides partial response when the Threat Emulation engine is able to calculate a partial verdict for a file, and the file is found malicious.

The prevent action is determined if the early (malicious) verdict confidence level is high enough, according to the Threat Prevention policy.
The prevent action is carried out immediately and it will not wait for the final verdict.

The early verdict feature is a part of a new mechanism that will improve over time to allow better prevention by reacting faster on files using fast decision engines (machine learning, static engines, macro detections etc.).

The early verdict feature is enabled by default in the following emulation modes:

  • Local Emulation on this gateway (except in VSX mode)
  • Local Emulation on Local Threat Emulation Appliance
  • Remote Emulation on Remote Threat Emulation Appliance
  • Cloud Emulation Threat Cloud

When the early prevent action occurs, the log is immediately generated, which includes partial details, such as verdict, severity, confidence, and so on. Later on, when the final verdict is determined, that partial log is overridden by a full detailed log.

 

(2) How to enable / disable the early verdict feature

The main command is:

[Expert@HostName:0]# tecli advanced part_response ...

Where:

Emulation Mode CLI command Description

Local Emulation
on this gateway

and

Local Emulation
on Local Threat
Emulation Appliance

tecli advanced part_response local ... Manages local partial response configuration
tecli advanced part_response local stat Shows the current status of the local partial response
tecli advanced part_response local enable Activates the local partial response
tecli advanced part_response local disable Deactivates the local partial response

Remote Emulation
on Remote Threat
Emulation Appliance

tecli advanced part_response remote ... Manages remote partial response configuration on the sender side (*)
tecli advanced part_response remote stat Shows the current status of the remote partial response on the sender side (*)
tecli advanced part_response remote enable Activates the remote partial response on the sender side (*)
tecli advanced part_response remote disable Deactivates the remote partial response on the sender side (*)

Remote Emulation
on ThreatCloud

tecli advanced part_response cloud ... Manages cloud partial response configuration on the sender side (*)
tecli advanced part_response cloud stat Shows the current status of the cloud partial response on the sender side (*)
tecli advanced part_response cloud enable Activates the cloud partial response on the sender side (*)
tecli advanced part_response cloud disable Deactivates the cloud partial response on the sender side (*)

(*) The "sender side" refers to the Security Gateway that sends the files for remote emulation.

 

Default settings:

Partial Response Gateway mode VSX mode
local enabled disabled (*)
remote enabled enabled
cloud enabled enabled

(*) Local partial response can not be enabled in VSX mode, because Local Emulation is not supported in VSX mode.

 

(3) Examples of Logs

HTTP Partial Log HTTP Full Detailed Log

Stamped time (early response being sent): 13:39:03
Updated log card time: 13:41:15

SMTP Partial Log SMTP Full Detailed Log

Stamped time (early response being sent): 15:11:01
Updated log card time: 15:14:07

HTTP Partial Archive Log HTTP Full Detailed Archive Log

Stamped time (early response being sent): 15:30:00
Updated log card time: 15:32:06

 

(4) New Public API Interface

In order to use the early verdict mechanism, the Public API clients should include for both Upload API and Query API, a new feature named te_eb (stands for "Threat Emulation - Early Bird") within the Request, in addition to the existing te feature, .

The "te_eb" feature within the Request has no attributes.

Json: "request" : [ 
         {
             "features" : [ "te" , "te_eb" ],
             "file_name" : "..",
             ...       
             "te" : {
                ...
             },
         }
      ]

The "te_eb" feature Response has the same status format as "te" feature.

In case of an early verdict, the Response also includes the attributes "combined_verdict", "confidence" and "severity".

Json: "response" : [
         {
             "features" : [ "te" , "te_eb" ],
             ...
             "te" : {
                ...
             },
             "te_eb" : {
                 "combined_verdict" : "..",
                 "confidence" : .. ,
                 "severity" : .. ,
                 "status" : {
                    "code" : .. ,
                    "label" : "..",
                    "message" : "..."
                  }
              }
          }
      ]

 

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment