How to Configure File Exceptions for EdgeIPS Pro Devices
  • 27 Mar 2023
  • 5 Minutes to read

How to Configure File Exceptions for EdgeIPS Pro Devices


Article summary

Summary


The File Exceptions function is an enhancement of the Antivirus Profiles for the EdgeIPS Pro Series. When the Antivirus Profile is configured as a denylist, the File Exceptions function will provide an allowlist of files’ hash values so that files on the list will be excluded from scanning and be transmitted while others are still blocked from passing through the Edge Series.

Applicable Version


EdgeIPS Pro : Version 1.3.15 or later

Details


1. File Exceptions

image.png
Figure 1 Deployment Scenario of File Exceptions

The following are prerequisites for the File Exceptions function:

  • The firmware version of EdgeIPS Pro Series should be 1.3.15 or later. If not, you need to upgrade the firmware of the device via EdgeOne or perform a manual upgrade on the web console before importing the hash values of the files into an allowlist for file exceptions in an antivirus profile.
  • At least one protocol used for file downloads must be selected and enabled. EdgeIPS Pro supports HTTP, FTP, and SMB protocols for the Antivirus Profile function.
    image.png
  • The “Maximum File Size for Scanning” function (for files other than zip and gz files) must be enabled. The default file size is 10 MB.
  • The “Deny Oversize Files(s)” option must be selected.
    image.png
  • The “Scan Compressed File(s) (ZIP & GZIP)” function must be enabled. The two suboptions, “Deny Password Protected File(s)” and “Destroy File(s) Failed to be Decompressed” are recommended to be selected.
    image.png
  • The Antivirus Profile must be applied to an active policy enforcement rule.
    image.png

    image.png

If the protocols used for file downloads are selected in antivirus profiles applied to a policy enforcement rule, the EdgeIPS Pro Series will detect the protocols you use and scan the downloads accordingly. If the hash value of the file in downloading fully matches a hash value of file on the exception list, EdgeIPS Pro will allow the file download rather than blocking it.

The file exception list supports the PE-based file type for the Windows system and the ELF-based file type for the Linux system.

For a zip/gz file that includes multiple files and is smaller than 100MB, the hash matching rule will be executed on the encapsulated PE-based or ELF-based files in the zip/gz file. The matching result depends on what file type is on the exception list. However, for a zip/gz file that is larger than 100MB or is encrypted with password, the hash matching rule will not be executed, and the zip/gz file will be bypassed.

e.g.: The zip file “A” is smaller than 100MB and includes multiple files, which are the password-protected file “B”, the ELF-based file “C”, and the PE-based file “D”. The policy enforcement rule contains a file type filter (the function “Protocol Check” is set to be “Deny and Log” and the option “Deny Password Protected File(s)” is not selected), and “C” and “D” are on the file exception list. Since “C” and “D” encapsulated in “A” are on the file exception list, and “B” does not violate any rules in the antivirus profile, when EdgeIPS Pro detects the zip file “A”, the device will bypass it.
e.g.: The gz file “A” is smaller than 100MB and includes multiple files, which are the password-protected file “B”, the ELF-based file “C”, and the PE-based file “D”. The policy enforcement rule contains a file type filter (the function “Protocol Check” is set to be “Deny and Log”, the option “Deny Password Protected File(s)” is not selected, and the option “Deny Oversize File(s)” is selected), and “C” is larger than 10 MB. Since “C” violates the rule “Deny Oversize File(s)” in the antivirus profile, when EdgeIPS Pro detects the gz file “A”, the device will drop it.
e.g.: The zip file “A” is larger than 100MB and includes multiple files, “B”, “C”, and “D”. Since the hash matching rule will not be executed on zip files larger than 100MB, when EdgeIPS Pro detects the zip file “A”, the device will bypass it.

The following table summarizes the settings:

Edge Series DeviceOperation ModeAntivirus Profiles
If the file is not on File Exception listIf the file is on File Exception list
EdgeIPS ProInline Mode
(Each Port Pair)
File dropped if detected as malwareFile bypassed
Offline Mode
(Each Port Pair)

(No action taken)

(No action taken)

2. Configuring File Exceptions Function for EdgeIPS Pro

image.png

Method 1: Importing a File List Using the Built-in CSV File Template

  1. Access the EdgeIPS Pro web-based management console.
  2. Go to [Object Profiles] > [Antivirus Profile(s)].
  3. Click the [Download CSV Template] button to download a CSV file.
    image.png
  4. Open the downloaded CSV file and input the hash values (mandatory) and descriptions (optional). For example:
SHA TypeValueDescription
SHA19365e80854461496b6803cec83dd9814eea71788Windows PE File
SHA11e783af70e201a6dab6a3a7b64821fc4563d200aWindows PE File
SHA1b5f744020ed1abffe19dc2e66ac5a0390d9df01cLinux ELF File
The length of a hash value (SHA1, hexadecimal number) should be 40 digits long.
  1. Click the [File Exception Settings] button to open the [File Exception Settings] page.
    image.png
  2. Import the CSV file (which you have included hash values in step 4) and click the [Save] button.
    image.png
  3. If the format of the imported file is correct, a prompt will indicate that the exception list has been successfully imported into EdgeIPS Pro.
    image.png
  4. Go to [Security] > [Policy Enforcement].
  5. Select the rule template and the policy enforcement rule you want to edit.
  6. Enable the [Antivirus Profile] function and select the profile name with the file exception list you just imported.
    image.png
  7. Click the [OK] button to save the settings.

Method 2: Manually Adding SHA-1 Values to the File Exception List

  1. Access the EdgeIPS Pro web-based management console.
  2. Go to [Object Profiles] > [Antivirus Profile(s)].
  3. Click the [File Exception Settings] button to open the [File Exception Settings] page.
    image.png
  4. Click the [Add] button.
    image.png
  5. Input a file hash value (sha value). The description is optional.
    image.png
The length of a hash value (SHA1, hexadecimal number) should be 40 digits long.
  1. If the sha value you input is correct, it will be shown on the list. To add multiple file sha values, repeat steps 4-5. Once completed, click the [Save] button.
  2. Go to [Security] > [Policy Enforcement].
  3. Select the rule template and the policy enforcement rule you want to edit.
  4. Enable the [Antivirus Profile] function and select the profile name with the file exception list you just created.
    image.png
  5. Click the [Save] button to save the settings.



For support assistance, please Contact Us at support@txone.com or your Support Provider.


Was this article helpful?