ICAP Sensor
Note
This feature is available only with Sandbox Analyzer On-premises.
In this section you can configure automatic submission to Sandbox Analyzer via ICAP sensor.
Note
Sandbox Analyzer requires a Security Server configured to scan network-attached storage (NAS) devices that use the ICAP protocol. For details, refer to Storage Protection.
Select the Automatic samples submissions from ICAP sensor check box to enable automatic submission of suspicious files to Sandbox Analyzer.
Under Content Prefiltering, customize the protection level against potential threats. The network sensor has embedded a content filtering mechanism which determines whether a suspicious file needs to be detonated in Sandbox Analyzer.
The object types supported are: applications, documents, scripts, archives, emails. For more details on the supported object types, refer to File Types Supported by Content Prefiltering at Automatic Submission.
Use the master switch at the top of the threats list to choose a unique level of protection for all types of objects, or select individual levels to fine tune protection.
Setting the module at a certain level will result in a certain number of submitted samples:
Permissive. The ICAP sensor automatically submits to Sandbox Analyzer only the objects with the highest probability of being malicious and ignores the rest of the objects.
Normal. The ICAP sensor finds a balance between the submitted and ignored objects and sends to Sandbox Analyzer both objects with a higher and with a lower probability of being malicious.
Aggressive. The ICAP sensor submits to Sandbox Analyzer almost all objects, regardless of their potential risk.
In a dedicated field, you can define exceptions for the object types that you do not want to submit to Sandbox Analyzer.
You can also define size limits of the submitted objects by selecting the corresponding check box and entering any desired values between 1 KB and 50 MB.
Under Connection Settings, select the preferred Sandbox Analyzer instance for submitting network content.
If you have your network behind a proxy server or a firewall, you can configure a proxy to connect to Sandbox Analyzer by selecting the Use proxy configuration check box.
You have to fill in the following fields:
Server - the IP of the proxy server.
Port - the port used to connect to the proxy server.
Username - a user name recognized by the proxy.
Password - the valid password for the specified user.
Under Detonation profile, adjust the complexity level of behavioral analysis, while affecting the Sandbox Analyzer throughput. For example, if set to High, Sandbox Analyzer would perform a more accurate analysis on fewer samples, in the same interval, than on Medium or Low.