Configure high throughput protection
conf.user configure sandbox extraction
<json_value>
Product
Guardian
Description
This option lets you define which files have to be analysed by Sandbox. The
enable_...
suboptions enable only the files that satisfy the
specific criteria, while the disable_...
suboptions disable only
the files that match the specific criteria and enable all the others. In the case
that several criteria are specified they are applied with an AND sequence (i.e. all
of them have to be satisfied). The user should note in the following that advertised
file extensions are considered. If an attacker hides behind a joint photographic experts group (JPEG) file extension a malicious executable, there is no way for
Sandbox to understand that the file is an executable without performing an in-depth
analysis on the file itself. For this reason, we highly discourage the use of the
file extension attribute in the JavaScript Object Notation (JSON) below. Protocols,
zones and node criteria are instead encouraged, when even the auto switch off
adapative algorithm cannot provide a sufficient protection against high
throughputs.
enabled_protocols
- only files extracted from these protocols will be analyseddisabled_protocols
- files extracted from these protocols will be excluded from the analysisenabled_file_extensions
- only files extracted with these advertised extensions will be analyseddisabled_file_extensions
- files extracted with these advertised extensions will be excluded from the analysisenabled_zones
- only files extracted from the specified zones (both source and destination) will be analysed.disabled_zones
- files extracted from the specified zones (both source and destination) will be excluded from the analysis.enabled_src_zones
- only files extracted from the specified source zones will be analysed.disabled_src_zones
- files extracted from the specified source zones will be excluded from the analysis.enabled_dst_zones
- only files extracted from the specified destination zones will be analysed.disabled_dst_zones
- files extracted from the specified destination zones will be excluded from the analysis.enabled_node_types
- only files extracted from nodes of the specified types will be analysed (both source and destination).disabled_node_types
- files extracted from nodes of the specified types will be excluded from the analysis (both source and destination).enabled_src_node_types
- only files extracted from packets with source nodes of the specified types will be analysed.disabled_src_node_types
- files extracted from packets with source nodes of the specified types will be excluded from the analysis.enabled_dst_node_types
- only files extracted from packets with destination nodes of the specified types will be analysed.disabled_dst_node_types
- files extracted from packets with destination nodes of the specified types will be excluded from the analysis.enabled_node_ids
- only files extracted from nodes with the specified ids will be analysed (both source and destination).disabled_node_ids
- files extracted from nodes with the specified ids will be excluded from the analysis (both source and destination).enabled_src_node_ids
- only files extracted from packets with source nodes contained in the specified ids will be analysed.disabled_src_node_ids
- files extracted from packets with source nodes contained in the specified ids will be excluded from the analysis.enabled_dst_node_ids
- only files extracted from packets with destination nodes contained in the specified ids will be analysed.disabled_dst_node_ids
- files extracted from packets with destination nodes contained in the specified ids will be excluded from the analysis.
conf.user configure sandbox extraction {"enabled_protocols":
["http"]}
Parameters
json_value
: A JSON object to configure
which files are not analysed by Sandbox.
Where
CLI
To apply
It is applied automatically.