Threat Emulation Policy Granularity Manager

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk132492
Technical Level
Product	Threat Emulation
Version	R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL), R80.10 (EOL), R80.20, R80.30, R80.40
Date Created	02-Aug-2018
Last Modified	07-Oct-2021

Solution

Introduction

Starting in Engine Update 7.3, support for Policy Granularity Manager (PGM) was added to Threat Prevention. PGM allows you to configure Threat Prevention behavior when you encounter errors or specific flows. The outcomes of the errors can be configured to error, continue, fail-close policy or fail-open policy.

Error - Behaves according to general policy. If fail-close, the file is declared as malicious and dropped with a log entry, if fail-open, the file is declared as benign and passed

Continue - Behaves as if the error did not occur and continues in the flow, e.g., if the "max files in archive" attribute is set to continue, the archive will be extracted and analyzed even though there are more files than permitted.

Fail-Close Policy - If there is an error, the file is declared as malicious and dropped with a log entry.

Fail-Open Policy - If there is an error, the file is declared as benign and passed.

Availability

Support for this feature on a Security Gateway is included in Engine Update 7.3.

Configuration Policies

A file that the Threat Emulation blade failed to emulate can be treated as a malicious file (fail-close policy) or as a benign file (fail-open policy). The configuration is performed through the Threat Emulation Command Line Interface - the tecli command. On the GW:

To show the current status of an error, run:

[Expert@HostName:0]# tecli advance error show

To treat an error as a malicious file (fail-close policy), run the following command in Expert mode:

Expert@HostName:0]# tecli advance error set "Error type" fail_close

To treat an error as a benign file (fail-open policy), run the following command in Expert mode:

[Expert@HostName:0]# tecli advance error set "Error type" fail_open

Supported error types

File exceeds size limit (supported on R80.10 and above, Threat Emulation must be in Hold mode).
Password protected archives cannot be emulated (refer to sk112821 for limitations).
Max number of files in archive reached
Archive extraction error
Max decompression rate limit reached in archive
Unsupported file type
Password protected document (Office and PDF)

○ This policy is not supported on cloud environments.
○ This policy should only be set on both the Emulator and the Gateway.

Example

Note that the description and Error State match the reason and verdict in the log. By changing the Error State for a specific error type, you can alter the verdict to Accept or Drop.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating