- 27 Mar 2023
- 5 Minutes to read
- Print
How to Configure File Exceptions for EdgeIPS Pro Devices
- Updated on 27 Mar 2023
- 5 Minutes to read
- Print
Summary
The File Exceptions function is an enhancement of the Antivirus Profiles for the EdgeIPS Pro Series. When the Antivirus Profile is configured as a denylist, the File Exceptions function will provide an allowlist of files’ hash values so that files on the list will be excluded from scanning and be transmitted while others are still blocked from passing through the Edge Series.
Applicable Version
EdgeIPS Pro : Version 1.3.15 or later
Details
1. File Exceptions
Figure 1 Deployment Scenario of File Exceptions |
The following are prerequisites for the File Exceptions function:
- The firmware version of EdgeIPS Pro Series should be 1.3.15 or later. If not, you need to upgrade the firmware of the device via EdgeOne or perform a manual upgrade on the web console before importing the hash values of the files into an allowlist for file exceptions in an antivirus profile.
- At least one protocol used for file downloads must be selected and enabled. EdgeIPS Pro supports HTTP, FTP, and SMB protocols for the Antivirus Profile function.
- The “Maximum File Size for Scanning” function (for files other than zip and gz files) must be enabled. The default file size is 10 MB.
- The “Deny Oversize Files(s)” option must be selected.
- The “Scan Compressed File(s) (ZIP & GZIP)” function must be enabled. The two suboptions, “Deny Password Protected File(s)” and “Destroy File(s) Failed to be Decompressed” are recommended to be selected.
- The Antivirus Profile must be applied to an active policy enforcement rule.
If the protocols used for file downloads are selected in antivirus profiles applied to a policy enforcement rule, the EdgeIPS Pro Series will detect the protocols you use and scan the downloads accordingly. If the hash value of the file in downloading fully matches a hash value of file on the exception list, EdgeIPS Pro will allow the file download rather than blocking it.
The file exception list supports the PE-based file type for the Windows system and the ELF-based file type for the Linux system.
For a zip/gz file that includes multiple files and is smaller than 100MB, the hash matching rule will be executed on the encapsulated PE-based or ELF-based files in the zip/gz file. The matching result depends on what file type is on the exception list. However, for a zip/gz file that is larger than 100MB or is encrypted with password, the hash matching rule will not be executed, and the zip/gz file will be bypassed.
The following table summarizes the settings:
Edge Series Device | Operation Mode | Antivirus Profiles | |
If the file is not on File Exception list | If the file is on File Exception list | ||
EdgeIPS Pro | Inline Mode (Each Port Pair) | File dropped if detected as malware | File bypassed |
Offline Mode (Each Port Pair) | — (No action taken) | — (No action taken) |
2. Configuring File Exceptions Function for EdgeIPS Pro
Method 1: Importing a File List Using the Built-in CSV File Template
- Access the EdgeIPS Pro web-based management console.
- Go to [Object Profiles] > [Antivirus Profile(s)].
- Click the [Download CSV Template] button to download a CSV file.
- Open the downloaded CSV file and input the hash values (mandatory) and descriptions (optional). For example:
SHA Type Value Description SHA1 9365e80854461496b6803cec83dd9814eea71788 Windows PE File SHA1 1e783af70e201a6dab6a3a7b64821fc4563d200a Windows PE File SHA1 b5f744020ed1abffe19dc2e66ac5a0390d9df01c Linux ELF File The length of a hash value (SHA1, hexadecimal number) should be 40 digits long.
- Click the [File Exception Settings] button to open the [File Exception Settings] page.
- Import the CSV file (which you have included hash values in step 4) and click the [Save] button.
- If the format of the imported file is correct, a prompt will indicate that the exception list has been successfully imported into EdgeIPS Pro.
- Go to [Security] > [Policy Enforcement].
- Select the rule template and the policy enforcement rule you want to edit.
- Enable the [Antivirus Profile] function and select the profile name with the file exception list you just imported.
- Click the [OK] button to save the settings.
Method 2: Manually Adding SHA-1 Values to the File Exception List
- Access the EdgeIPS Pro web-based management console.
- Go to [Object Profiles] > [Antivirus Profile(s)].
- Click the [File Exception Settings] button to open the [File Exception Settings] page.
- Click the [Add] button.
- Input a file hash value (sha value). The description is optional.
The length of a hash value (SHA1, hexadecimal number) should be 40 digits long.
- If the sha value you input is correct, it will be shown on the list. To add multiple file sha values, repeat steps 4-5. Once completed, click the [Save] button.
- Go to [Security] > [Policy Enforcement].
- Select the rule template and the policy enforcement rule you want to edit.
- Enable the [Antivirus Profile] function and select the profile name with the file exception list you just created.
- Click the [Save] button to save the settings.
For support assistance, please Contact Us at support@txone.com or your Support Provider.