Configure high throughput protection

conf.user configure sandbox extraction <json_value>

Product

Guardian

Description

This option lets you define which files have to be analysed by Sandbox. The enable_... suboptions enable only the files that satisfy the specific criteria, while the disable_... suboptions disable only the files that match the specific criteria and enable all the others. In the case that several criteria are specified they are applied with an AND sequence (i.e. all of them have to be satisfied). The user should note in the following that advertised file extensions are considered. If an attacker hides behind a joint photographic experts group (JPEG) file extension a malicious executable, there is no way for Sandbox to understand that the file is an executable without performing an in-depth analysis on the file itself. For this reason, we highly discourage the use of the file extension attribute in the JavaScript Object Notation (JSON) below. Protocols, zones and node criteria are instead encouraged, when even the auto switch off adapative algorithm cannot provide a sufficient protection against high throughputs.

The json object can have the following attributes:
  • enabled_protocols - only files extracted from these protocols will be analysed
  • disabled_protocols - files extracted from these protocols will be excluded from the analysis
  • enabled_file_extensions - only files extracted with these advertised extensions will be analysed
  • disabled_file_extensions - files extracted with these advertised extensions will be excluded from the analysis
  • enabled_zones - only files extracted from the specified zones (both source and destination) will be analysed.
  • disabled_zones - files extracted from the specified zones (both source and destination) will be excluded from the analysis.
  • enabled_src_zones - only files extracted from the specified source zones will be analysed.
  • disabled_src_zones - files extracted from the specified source zones will be excluded from the analysis.
  • enabled_dst_zones - only files extracted from the specified destination zones will be analysed.
  • disabled_dst_zones - files extracted from the specified destination zones will be excluded from the analysis.
  • enabled_node_types - only files extracted from nodes of the specified types will be analysed (both source and destination).
  • disabled_node_types - files extracted from nodes of the specified types will be excluded from the analysis (both source and destination).
  • enabled_src_node_types - only files extracted from packets with source nodes of the specified types will be analysed.
  • disabled_src_node_types - files extracted from packets with source nodes of the specified types will be excluded from the analysis.
  • enabled_dst_node_types - only files extracted from packets with destination nodes of the specified types will be analysed.
  • disabled_dst_node_types - files extracted from packets with destination nodes of the specified types will be excluded from the analysis.
  • enabled_node_ids - only files extracted from nodes with the specified ids will be analysed (both source and destination).
  • disabled_node_ids - files extracted from nodes with the specified ids will be excluded from the analysis (both source and destination).
  • enabled_src_node_ids - only files extracted from packets with source nodes contained in the specified ids will be analysed.
  • disabled_src_node_ids - files extracted from packets with source nodes contained in the specified ids will be excluded from the analysis.
  • enabled_dst_node_ids - only files extracted from packets with destination nodes contained in the specified ids will be analysed.
  • disabled_dst_node_ids - files extracted from packets with destination nodes contained in the specified ids will be excluded from the analysis.
conf.user configure sandbox extraction {"enabled_protocols": ["http"]}

Parameters

json_value: A JSON object to configure which files are not analysed by Sandbox.

Where

CLI

To apply

It is applied automatically.