Advanced Secure Gateway

Content Analysis

Version 7.x

Guide Revision: 11/13/2020

Advanced Secure Gateway - Content Analysis Administration

Legal Notice

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term
“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 201x–2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not
assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit
described herein, neither does it convey any license under its patent rights nor the rights of others.

Friday, November 13, 2020

2 of 117
 Advanced Secure Gateway - Content Analysis Administration

Contents

Initial Configuration 6
About Advanced Secure Gateway 7.x 8
Content Analysis Caches 11
Content Analysis Security Best Practices 12
Required Ports, Protocols, and Services 14
Set the Date/Time Manually 18
Set the Appliance Hostname 18
Log In or Log Out of the Content Analysis Web UI 19
Manage the Appliance Licenses and Subscriptions 19
Activate Licensed Components 22

Prepare the Appliance to Scan Data 25

Change the Default ICAP Server Ports 27
Define File Type Policy 27
Set AV Scanning Behavior Options 28
Drop Slow Download Connections 32
Improve Malware Scanning Results with Predictive Analysis 34
File Reputation Service 38
Manually Define File Reputation 39
Integrate with Symantec Endpoint Protection Manager 41
Add a Malicious File to a SEPM Blacklist 42
Configure CounterTack Sentinel Endpoint Security 44
Integrate Advanced Secure Gateway with Security Analytics 45
Send Sandboxing Results to Symantec Reporter 47
Report Malware to Symantec Global Intelligence Network 49

About Sandboxing 50
Sandbox Suspicious Files 52
Configure a Symantec Malware Analysis Sandbox 52
Configure a FireEye Sandbox 55
Configure a Lastline Sandbox 56
Configure Sandbox General Settings 57
Configure Sandbox Cache Settings 60
Troubleshoot ICAP Errors 61

3 of 117
Advanced Secure Gateway - Content Analysis Administration

Monitoring and Alerts 64

Set Up Alert Delivery Methods 65
Configure E-Mail Settings 67
Configure SNMP 68
Configure Syslog Alerts 68
Customize Alert Messages 69
Send System Statistics by Email 71
Malware Processing Reports 73
View Threat Management Results 74
View the Sandboxing Report 82
View the Predictive Analysis Report 83
View the File Reputation Report 84
View the Whitelist and Blacklist Reports 85
View Recent Threats 86
View Cache Hits 88
View Objects Processed 88
View Bytes Processed Report 90
Current Scanning Requests 90
View Historical Requests 91
View Historical Request Results 92
View the CPU/Memory Usage 94
Manage the System Logs 96
Set the System Log Parameters 96
Review System Activities 98

Administrative Tasks 99
Define an Administrative Login Message 100
Update Antivirus Pattern Files 101
Install a New System Image 102
Archive or Restore the System Configuration 105

Troubleshooting and Support Utilities 107

Review System Activities 109
Review the Web Logs 109
Inspect Traffic 110
Send Diagnostic Information to Symantec Support 112
Restart System Services 113
Clear File Caches 113
Test Network Connectivity 114
Onboard Diagnostics 115

4 of 117
 Advanced Secure Gateway - Content Analysis Administration

Manually Scan Files for Threats 115

View and Export the System Information File 116

5 of 117
Advanced Secure Gateway - Content Analysis Administration

Initial Configuration
This chapter introduces you to the Content Analysis appliance, the Management Console and helps you to prepare the
appliance for deployment.

About Advanced Secure Gateway 7.x 8

Content Analysis Caches 11
Content Analysis Security Best Practices 12
Required Ports, Protocols, and Services 14
Set the Date/Time Manually 18
Set the Appliance Hostname 18
Log In or Log Out of the Content Analysis Web UI 19
Manage the Appliance Licenses and Subscriptions 19
Activate Licensed Components 22

6 of 117
 Advanced Secure Gateway - Content Analysis Administration

7 of 117
Advanced Secure Gateway - Content Analysis Administration

About Advanced Secure Gateway 7.x

The Symantec Advanced Secure Gateway is a next-generation Proxy, antivirus, malware, and spyware detection system.
This system comprises two very important modules: Proxy, based on SGOS 7.x, and Content Analysis, based on version
2.4.

The Content Analysis module in Advanced Secure Gateway 7.x includes the following features:

n Malware and Antivirus Scanning — Content Analysis supports McAfee, Sophos, Kaspersky, and Symantec antivirus
engines and virus signature databases, all of which can be used at the same time.

n Predictive Analysis — Services from Cylance and Symantec Advanced Machine Learning (AML) use an advanced
artificial intelligence engine to identify malware.

n File Reputation Service — Content Analysis generates a SHA1 hash for each file it processes. That hash is compared
with Symantec's cloud-based File Reputation classification service to identify known files. The service uses reputation
scores, numbers (1-10) that indicate whether files are known to be trusted or malicious; low scores are less likely to be
threats whereas high scores are more likely. Depending on the reputation score, files are then either blocked if the score
is high, passed to the user as safe if the score is low, or processing continues with anti-virus scanning and sandboxing
if the service doesn't know whether the file is malicious.

n Manual File Blacklist and Whitelist — As your organization identifies files that are known good or bad, you can add
them to a list of manually defined file hashes to either allow or deny those files without further processing.

n Sandbox Integration with Symantec's Malware Analysis, Lastline, FireEye AX, and cloud-based Symantec Sandbox
services use different methods to identify the actions an executable file would take on a client workstation, including
malicious URL web requests and changes to system files.

Note: Advanced Secure Gateway does not support FireEye NX.

n Endpoint Integration — As the sandbox detects malware, Content Analysis can query a CounterTack Sentinel server
in your network to determine which users (if any) have retrieved it. If Symantec Endpoint Protection Manager (SEPM) is
integrated with Advanced Secure Gateway, the administrator is notified when the sandbox finds a malicious file and
provides an option to add the file hash to a blacklist on the SEPM.

n Cached Responses — When a Content Analysis module determines a verdict (clean versus malicious) for a file, it
caches the file hashes and verdicts to avoid having to scan the same file on subsequent requests. Content Analysis
has separate caches for responses from each of its services: antivirus, file reputation, predictive analysis, and
sandboxing (threats and clean).

n Symantec Global Intelligence Network (GIN) — Users are protected by the Symantec WebFilter and GIN databases
on the Advanced Secure Gateway proxy module, and when malware is discovered through scanning, those results can
be shared with Symantec WebFilter to classify bad URLs for the benefit of all GIN users worldwide.

8 of 117
 Advanced Secure Gateway - Content Analysis Administration

n Reporter and Management Center Malware Reporting — If you have Symantec Reporter, Management Center, and
Malware Analysis, in addition to Advanced Secure Gateway, this release provides comprehensive reporting of threats
and threat protection activities.

9 of 117
Advanced Secure Gateway - Content Analysis Administration

Scanning workflow:

1. A user in the protected network requests a file from the Internet.

2. The proxy module compares the request with policy. If the user is permitted to access the URL hosting the file and is
permitted to download files, processing continues. If policy does not permit the user to access the URL or to download
files, the user is presented with an exception page, and the request is denied.

3. Further policy processing checks the URL against the Symantec WebFiltering and GIN databases. If the domain
hosting the file has been categorized as a malware source, the file download is denied and the user is notified with an
exception page. If the domain is not recognized, the file is sent to Content Analysis for inspection.

4. Content Analysis creates a hash of the file, and searches each of its caches (Antivirus, File Reputation services,
Predictive Analysis, and Sandboxing) for a match. If the hash is located in a cache, Content Analysis either serves or
blocks the file based on the verdict.

5. Content Analysis compares the file details against the both the manual blacklist/whitelist and the Symantec File
Reputation service. If the file's hash is on the manual whitelist or has a reputation score of 1, scanning is suspended
and the file is sent to the user. If the hash is not on the manual or blacklists, or has a reputation score between 2 and 6,
the file is sent to the malware scanning engines for analysis. If the file's hash is on the manual blacklist, or has a
reputation score between 7 and 10, it is blocked.

10 of 117
 Advanced Secure Gateway - Content Analysis Administration

6. The file is examined by the Cylance engine (an optional license), and is then scanned by the configured antivirus
engines for known malware signatures. If the file contains malware, the file is blocked and the user receives an
exception page with a description of the virus or malware.

7. If the file is clean, but is of a suspicious type (executable or a type defined in the sandboxing configuration), it is
forwarded to the configured external sandbox appliance for further analysis. The results of the sandbox analysis are
reported to the administrator and shared with WebPulse. If the file is clean, it is added to the Sandboxing Trust Cache. If
the file is malicious, it is added to the Sandbox Threat Cache and the Content Analysis administrator is notified via
email or other configured notification method.

8. If the sandbox analysis found the file to be malicious, Content Analysis queries the CounterTack Sentinel server (if
configured) to determine if any workstations in the network have been infected. That information is then included in the
report emailed to the administrator. If Symantec Endpoint Protection Manager (SEPM) is configured, Advanced Secure
Gateway notifies the administrator, providing the option to add the file hash to a blacklist on the SEPM.

Content Analysis Caches

A cache is a location that stores data so future requests for that data can be served faster. A cache hit occurs when the
requested data can be found in a cache.

Each of the Content Analysis modules has its own cache: Antivirus, File Reputation service, Predictive Analysis, and
Sandboxing (Threat and Clean). When a module scans a file and renders a verdict (clean vs. malicious), Content Analysis
stores the file hash and its verdict in the appropriate cache. The exception is the File Reputation service which caches a
reputation score for the file hash, not a verdict.

When presented with a file to scan, Content Analysis determines what should be done with the file by looking for the file hash
in each of its caches in the following order.

Note: When there is a clean or malicious verdict in a cache, the file is served or blocked
immediately, without further investigation. If the hash is not in a particular cache, Content
Analysis looks for the hash in the next cache on the list.

1. File Reputation Service cache If the reputation score is 1 (trusted), the file is served. If the reputation score is in the
malicious range (7-10), the file will be blocked immediately .

2. Predictive Analysis cache If the Predictive Analysis cache verdict for the file is malicious, the file is blocked.

3. Antivirus cache If the AV cache verdict for the file is malicious, the file is blocked.

4. Sandbox Threat cache If the file is in the threat cache, the file is blocked.

5. Antivirus cache If the AV cache verdict is clean, the file is served.

6. Sandbox Clean cache If the file is in the clean cache, the file is served.

If the file hash isn't located in any of the caches, Content Analysis will scan the file using its normal process.

11 of 117
Advanced Secure Gateway - Content Analysis Administration

Content Analysis Security Best Practices

Your Content Analysis appliance examines much of the traffic that passes through your network, so it's very important that it
be managed in a secure fashion. The items listed here represent best-effort security considerations. Consult your
organization's security requirements when deploying Content Analysis in your environment.

Physical Location and Networking

n Secure the physical location where Content Analysis is deployed.
Make sure that access is limited to a few top-level administrators, and wherever possible, that their access is
monitored.

n Avoid deploying Content Analysis with a direct connection to the Internet.

Wherever possible, Content Analysis should be behind a firewall, proxy, and or other security appliance to protect it
from Internet-based attacks.

n Control access to the network where Content Analysis is deployed.

Configure ICAP and management services to use access control lists.

n Configure the management and ICAP interfaces on the appliance in unique, non-congruent subnets.
This reduces the vectors available to an attacker.

n For best security, secure ICAP is recommended.

Secure ICAP introduces a significant performance penalty. Alternatively, you can mitigate concerns by deploying
Content Analysis and ProxySG appliance on a segmented network, to which no outside access is permitted. Only
when properly segmented does Symantec recommend enabling plain text ICAP connections.

n Ensure that your network infrastructure is prepared for the connections to and from your Content Analysis
appliance.
See "Required Ports, Protocols, and Services" on page 14 for a list of URLs and ports used by Content Analysis.

n Do not use TLS 1.0 or 1.1.

By default, some versions of Content Analysis come with TLS versions 1.0 or 1.1 enabled for secure services (such as
Web Management and secure ICAP). Disable these versions and use only 1.2 or higher. See Enable Secure
ICAP Connections for details on managing the TLS version.

n Use only high-strength security ciphers.

Regardless of the default values, Symantec encourages Content Analysis administrators to be aware of the security
landscape, and only use ciphers known to be highly secure.

n Don't rely on the self-signed certificate.

Before deploying your Content Analysis appliance, Symantec recommends that you replace the built-in self-signed
certificate with one signed by a public Certificate Authority. This certificate should be generated with a 2048-bit or higher
key, and use the SHA2 hashing algorithm. While Content Analysis does not provide a facility to generate a Certificate

12 of 117
 Advanced Secure Gateway - Content Analysis Administration

Signing Request, you can generate one externally using OpenSSL or from your Certificate Authority's website. The
instructions to install a CA-signed certificate are detailed here: Enable Secure ICAP Connections.

Administering and Monitoring the Appliance

n Web browsers used by Content Analysis administrators accessing the appliance's web management console
should not have access to the Internet.
This ensures that no web applications can glean login or other details used in your connection to the Content Analysis
management console.

n Do not enable HTTP web management.

By default, only HTTPS web administration is enabled. Symantec does not recommend that you enable the
HTTP management console for any reason.

n Keep the UI inactivity timeout set to the default value (10 minutes).
See Control Access to the Management Console for more information.

n Ensure that the primary administrator account (admin) details are known only to a select few administrators.
Set the primary admin password to use twelve or more characters, and include a mix of case and special characters.
Save the details in a secure location.

n Set a unique enable password, different from that of the built-in admin account.
Set the enable password to use twelve or more characters, and include a mix of case and special characters. Save the
details in a secure location.

n Make sure that every Content Analysis administrator has their own account.
Wherever possible, use LDAPS (Secure LDAP) authentication, rather than local authentication or standard LDAP or
RADIUS authentication.

n Use SNMPv3 for system activity reporting.

Earlier versions of SNMP do not support authentication or security features. See Configure SNMP for more information.

n Set the Content Analysis Audit Log to output to syslog.

This log details the connections to and from the appliance.

n Enable all email and other alerts

Direct them to addresses and services that can be viewed by multiple administrators. See "Set Up Alert Delivery
Methods" on page 65 for more information.

n Review system logs on a regular basis.

Symantec recommends that administrators frequently examine the system on a regular basis. Specifically, review
System logs for errors, anomalies, or unexpected events, and review the Auit logs for unauthorized access attempts or
suspicious activities. You can find information on Content Analysis logs here.

Data Analysis Settings

13 of 117
Advanced Secure Gateway - Content Analysis Administration

n Improve Kaspersky Scanning

Kaspersky scanning behavior can be improved by enabling the antivirus engine heuristic and enhanced scanning.
These options allow for threats other than those defined in the current pattern database to be identified. See "Set AV
Scanning Behavior Options" on page 28 for more information.

n Defaults are set for best practice

The default values for general antivirus scanning behavior policies are defined with security best practices in mind.
Under typical operation, the default values should not require modification. See "Set AV Scanning Behavior Options" on
page 28 for more information.

Required Ports, Protocols, and Services

Advanced Secure Gateway as a whole uses the following services and ports while operating. Ensure that you allow these
ports through your security infrastructure when setting up the appliance.

Inbound Connections
Whether for administrative access, or to accept incoming data to be scanned, this table details the connection points that are
open on the Advanced Secure Gateway.

Service Port Protocol Configurable? Source Description

HTTPS 8082 TCP yes user's client Securely manage and configure Advanced Secure Gateway with a
web browser or Symantec Management Center.

HTTP 8081 TCP yes user's client Manage and configure Advanced Secure Gateway with a web
browser. Disabled by default.

Secure 22 TCP yes user's client Securely manage and configure Proxy functions of the Advanced
Shell (SSH) Secure Gateway with a command line interface.

SNMP 161 UDP no SNMP Listen for queries from remote SNMP analysis tools (if SNMP is
analysis enabled).
tools

SafeNet 8443 TCP no user's client Listen for connections to the Java-based Management Console
Java HSM

Outbound Connections
Advanced Secure Gateway connects to the services listed below. Note that many of these services are optional, and the ports
don't need to be open on the firewall unless they are being used.

14 of 117
 Advanced Secure Gateway - Content Analysis Administration

Service Port Protocol Configurable? Destination Function

NTP 123 UDP no ntp.bluecoat.com, Network Time Protocol - synchronize the appliance
ntp2.bluecoat.com clock.

DNS 53 TCP/UDP no Configured Domain Name Service - The appliance queries the
DNS servers DNS servers you configure.

SSL 443 TCP no Multiple Heartbeats, service information uploading, licensing

check, communicating with external sandbox
appliances and HTTPS-based client requests destined
for the Internet.

SSL 444 TCP no Symantec Certificate As new root CA certificates become available, the
server Advanced Secure Gateway can retrieve and make
them available for trust verification with
HTTPS requests through the proxy module.

Syslog 514 UDP no Syslog server Report appliance health and statistical data to a syslog
server on the internal network.

SNMP 162 UDP yes SNMP agent Simple Network Monitoring Protocol - used by external
network monitoring tools to alert administrators when
appliance statistics vary.

RIP 520 UDP no Multiple/Configurable Routing Information Protocol - Advanced route

designations relying on external routers for shared
traffic routing information.

WCCP 2048 TCP no Multiple/Configurable Web Cache Control Protocol - used by Advanced
Secure Gateway to participate in transparent traffic
redirect with Cisco and Cisco-compatible routers .

IWA Direct - 88 TCP no Multiple/Configurable Used by IWA Direct to communicate with Active

Kerberos Directory to authenticate users.

IWA Direct - 445 TCP no Multiple/Configurable Used by IWA Direct to communicate with Active

SMB Directory.

IWA Direct - 389 TCP no Multiple/Configurable Used by IWA Direct to communicate with Active
LDAP Directory to authenticate users.

IWA Direct - 636 TCP no Multiple/Configurable Used by IWA Direct to communicate securely with

Secure LDAP Active Directory to authenticate users.

BCAAA 16101 TCP no Configured BCAAA Blue Coat Authentication and Authorization Agent -
server on a Windows Software installed on a Windows workstation or server
Workstation or Server in the network used by Advanced Secure Gateway to
validate user credentials for authentication.

RADIUS 1812 TCP no Multiple/Configurable Used by Advanced Secure Gateway to communicate

with RADIUS authorization services in your
environment.

15 of 117
Advanced Secure Gateway - Content Analysis Administration

Service Port Protocol Configurable? Destination Function

ICAP 1344 TCP yes Multiple/Configurable Used by Advanced Secure Gateway to communicate
with external Content Analysis, DLP, or other
ICAP services.

Secure ICAP 11344 TCP yes Multiple/Configurable Used by Advanced Secure Gateway to communicate
with external Content Analysis, DLP, or other
ICAP services over a secure channel.

CounterTack 9090 TCP no CounterTack Track scanning activity to be used for incident
Sentinel Sentinel server response, to determine if any clients in the network
Endpoint have been infected by malware.
Security

Symantec 21 TCP yes FTP server Upload sandboxing logs to a Symantec Reporter
Reporter server.

Sandboxing - 443 HTTPS no External Malware Transmit data to a SymantecMalware Analysis

Symantec Analysis appliance sandbox appliance for data analysis.
Malware
Analysis

Sandboxing - 22 SSH no FireEye AX Transmit data to a FireEye sandbox appliance for data
FireEye AX appliance analysis.

Symantec 8446 TCP no SEPM server Add malicious files to the Symantec Endpoint
Endpoint Protection Manager blacklist.
Protection
Manager

Required URLs
Under normal operation, Advanced Secure Gateway requires access to several cloud-based resources. Ensure connectivity to
the following URLs.

Protocol
Service URL Port Function

Symantec abrca.bluecoat.com/ HTTP 80 A Symantec service that responds to

Certificate CSR requests by returning a signed
Authority certificate in response. This is used
when renewing or initially requesting
a certificate.

16 of 117
 Advanced Secure Gateway - Content Analysis Administration

Protocol
Service URL Port Function

Symantec remote-support.bluecoat.com HTTPS 8888 A back-end Symantec service used for

Diagnostics "remote debugging". This allows
Server Symantec personnel to log in to
customer appliances during a support
call and debug an issue by opening a
shell on the box.

Symantec subscription.es.bluecoat.com/heartbeat/post HTTPS 443 Content Analysis emits a message,

Heartbeat called a heartbeat, to the Symantec
Server heartbeat server on the following
occasions: appliance bootup, daily,
and after a system failure. Using the
information contained in the heartbeat
messages, Symantec is able to
provide better, faster support to its
users.

Symantec api.us.dmas.symantec.com HTTPS 443 Sends files to Symantec's cloud-based

Cloud service for malware scanning.
Sandboxing

Symantec subscription.es.bluecoat.com HTTPS 443 Manage the subscription-based

Network services (antivirus, file reputation,
Protection sandboxing) associated with your
Licensing Content Analysis serial number.

Symantec device-services.es.bluecoat.com HTTPS 443 URLs used by the appliance to

Network manage the appliance license
Protection services.es.bluecoat.com (applicable to licenses without birth
Licensing certificates)

Symantec upload.bluecoat.com/support/upload HTTPS 443 A web form for submitting

Support troubleshooting files to Symantec
Support.

Symantec frs.es.bluecoat.com HTTPS 443 This URL is used to perform file

GIN reputation hash lookups, and when
malware is discovered, report the
source and file hash to Symantec GIN,
provided the option is enabled in
Content Analysis > Settings > GIN.

Symantec sp.cwfservice.net HTTPS 443 This URL is used to perform website

GIN reputation services.

Symantec contentanalysis-ma.es.bluecoat.com HTTPS 443 When malware is discovered by a

GIN (for MA) Malware Analysis appliance, Content
Analysis contacts this URL to report it.

17 of 117
Advanced Secure Gateway - Content Analysis Administration

Protocol
Service URL Port Function

NTP ntp.bluecoat.com, ntp2.bluecoat.com UDP 123 Synchronize the appliance clock with
a verified time reference server.
Advanced Secure Gateway can also accept
configuration of other NTP servers.

Sandboxing lastline.mycompany.com HTTPS 443 Used to transmit data to a cloud-based

- Lastline Lastline sandbox service for data
Replace mycompany.com with your specific analysis.
Lastline cloud-based sandboxing URL.

Trust appliance.bluecoat.com HTTP 80 Download trust packages (CA

Package certificate update packages) from
Updates Symantec.

Set the Date/Time Manually

Date and time configuration is available in Settings > Date Time.

Advanced Secure Gateway uses the date and time settings to record events and to track engine file updates. Some AV
engines, however, do not use the configured system time and instead use an internal time tracking mechanism for maintaining
the most current version of the pattern file.

By default, the appliance acquires Universal Coordinated Time (UTC) from the NTP servers configured on the appliance. If you
prefer to manually set the date and time on the appliance, do the following:

1. Select Settings > Date Time.

2. Under Date Settings, either enter the date ( in mm/dd/yyyy format) or click the calendar icon select the correct date for
the location for this appliance.

3. In Time Settings, either directly enter the time, or use the up and down arrows to set the hour, minutes, and seconds.

2. Click Save Changes.

Note: If you change the time or date to a value greater than what was previously set, the
appliance will log out the system administrator. Log in again to verify your changes.

Set the Appliance Hostname

Set the appliance hostname and administrator email address in System > Identification.

The appliance name is used when alerts are sent out to recipients, plus in other elements such as the CLI prompt and SNMP
logs.

18 of 117
 Advanced Secure Gateway - Content Analysis Administration

1. Enter a unique Appliance Name, to assign the appliance with a hostname. Consider using a geographic or other
location-based name to ensure each appliance in your network can be identified easily.

2. The Administrator Email identifies the primary administrator for this appliance. If an alert is sent that mentions
contacting the administrator, this address is given.
To enter multiple administrator email addresses, separate each by a
comma: [email protected],[email protected],[email protected].

3. Click Save Changes.

Log In or Log Out of the Content Analysis Web UI

The Logout link displays when you click the down arrow next to the admin login name on the Management Console banner, as
shown below.

To log out, click Logout. You are logged out and a message confirming the logout displays.

Note: If you have disabled authentication, the logout link does not display in the Management
Console banner. Symantec does not recommend operating Content Analysis without
authentication.

Log In to Advanced Secure Gateway

By default, Advanced Secure Gateway challenges administrative users for their log-in credentials before permitting access to
the Management Console. As a best practice, Symantec recommends that you log out of the appliance after completing your
tasks in the Management Console.

To log in to the appliance again, click the link on the window that displays or the following URL into a browser:

https://content_analysis_IP_address:8082

Manage the Appliance Licenses and Subscriptions

Register Advanced Secure Gateway

19 of 117
Advanced Secure Gateway - Content Analysis Administration

When you purchase a Advanced Secure Gateway virtual or physical appliance , your sales representative will furnish you with
a letter, (referred to as the e-fulfillment letter) that contains your appliance serial number and an activation code for your
subscription services.

With your e-fulfillment letter in hand, browse to the Symantec Licensing Portal at
https://licensing.symantec.com/acctmgmt/LicensePortal.jsp and follow the steps below.

1. Log in at https://login.symantec.com/ using your MySymantec credentials (typically your email address and a
password).

If you do not have a MySymantec account, select Create an Account to request one.

2. The licensing portal prompts you to select either License a Proxy or License Others. Click License Others.

3. Click Content Analysis System on the left, and select Software Antivirus Activation.

4. Enter your Content Analysis Serial Number and Activation Code into the fields provided, as detailed in your e-
fulfillment letter and click Submit.

5. The License Agreement appears. Review the license details, select I accept, and click Next.

20 of 117
 Advanced Secure Gateway - Content Analysis Administration

6. The Licensing Portal displays the details of your activated license. Review all text on this page, as the information
displayed here can alert you to potential delays or other concerns in licensing your appliance.

21 of 117
Advanced Secure Gateway - Content Analysis Administration

7. Log in to the web management console for the Content Analysis system you've just registered, and follow the steps
below to install the activated license.

Prompt Advanced Secure Gateway to Download and Install Your Activated

License and Subscriptions
1. In the Proxy tab of the Advanced Secure Gateway appliance web management console, click System > Licensing.

2. Click Download License from Blue Coat.

The appliance confirms the download and installation.

3. Proceed to "Activate Licensed Components" below.

Activate Licensed Components

Licensed Components can be managed in System > Licensing.

All Content Analysis components require a license to operate. After you have verified that the base license for your system is
installed, review the subscription components and enable them as required.

22 of 117
 Advanced Secure Gateway - Content Analysis Administration

Note: If your Advanced Secure Gateway license does not include a given component, this
page will display the following message, Unavailable, refer to the product documentation
for licensing help.
In the event that you see this behavior from a component you expect to have access to,
contact your Symantec partner, sales point of contact, or Customer Support to inquire further.

1. Select System > Licensing.

The Licensing Activation section of this page contains the following columns:

n Active: This column informs you of the activation status of a given component.

n Component: The name of the licenseable component.

n Status: The status of the component (Active or Available) and the date and time the license for that component
expires.

The licenses available to Content Analysis are grouped by type: 

n Base: The license to operate Content Analysis.

n Antivirus: Supported antivirus vendor licenses. See "Set AV Scanning Behavior Options" on page 28 for details
on vendor-specific settings.

23 of 117
Advanced Secure Gateway - Content Analysis Administration

n Sandboxing: Two components are available:

o Sandbox Broker forwards traffic to a configured external sandbox appliance or service.

o Symantec Cloud Sandboxing performs cloud-based dynamic malware analysis.

For details, see "Sandbox Suspicious Files" on page 52.

n Predictive Analysis : Scanning services that don't rely on known viral signatures:

o Cylance scours files for unique identifying features and converts those features into a numerical value.

o Symantec Advanced Machine Learning is included with antivirus subscriptions. It is activated when you
activate the Symantec Antivirus license.

For details, see "Improve Malware Scanning Results with Predictive Analysis" on page 34.

n Hash Reputation: Two components are included with the base license:

o  File Reputation. See "View the File Reputation Report" on page 84.

o Custom Whitelist/Blacklist. See "Manually Define File Reputation" on page 39.

2. To activate a component, select it in the Active column.

3. Click Save Changes.

Caution: Should any of your subscriptions expire, the appliance will not send an alert. The
service will continue to function, but it will be unable to retrieve updates until the subscription is
renewed.

24 of 117
 Advanced Secure Gateway - Content Analysis Administration

Prepare the Appliance to Scan Data

Before the Content Analysis can scan traffic from a ProxySG appliance, it must be configured to accept traffic. The topics in
this chapter will help you to ready Content Analysis to receive traffic to be scanned.

Change the Default ICAP Server Ports 27

Define File Type Policy 27
Set AV Scanning Behavior Options 28
Drop Slow Download Connections 32
Improve Malware Scanning Results with Predictive Analysis 34
File Reputation Service 38
Manually Define File Reputation 39
Integrate with Symantec Endpoint Protection Manager 41
Add a Malicious File to a SEPM Blacklist 42
Configure CounterTack Sentinel Endpoint Security 44
Integrate Advanced Secure Gateway with Security Analytics 45
Send Sandboxing Results to Symantec Reporter 47
Report Malware to Symantec Global Intelligence Network 49

25 of 117
Advanced Secure Gateway - Content Analysis Administration

26 of 117
 Advanced Secure Gateway - Content Analysis Administration

Change the Default ICAP Server Ports

ICAP server ports can be configured from Settings > ICAP.

Advanced Secure Gateway receives data from the ProxySG appliance or other ICAP-compliant network devices through an
Internet Content Adaptation Protocol (ICAP) connection. All Content Analysis appliance models support up to 250
simultaneous ICAP connections. Advanced Secure Gateway supports both Plain ICAP (default), and Secure ICAP. You can
change the port, but be advised that this change must occur on both ends of the transaction.

Define File Type Policy

File type policy can be configured in Services > AV File Types.

You can configure how Advanced Secure Gateway reacts when specific file extensions or file types are sent over ICAP from
the Proxy module of your Advanced Secure Gateway. File extensions policy applies to all antivirus vendors. If you employ
Kaspersky or Sophos, you can configure additional Ignore, Scan, and Block policy.

File Extensions

Advanced Secure Gateway scans files and files within an archive. You can specify file types that are blocked—neither
scanned, nor served to the client —or served to the client unscanned (allow). Checks are performed on the original file and files
inside an archive.

To reduce resource overhead, you can create policy in the Proxy module to restrict specified file extensions from being sent to
it for scanning. For more information, see Configure Exception Policy.

To specify a custom list of file types that are to be blocked or permitted without scanning:

1. Select Services > AV File Types.

2. Under File Extensions, enter file types as appropriate:

a. List files extensions to block—Any file types with these extensions are blocked and not served to the client.

b. List file extensions that do not need to be scanned—Any file types with these extensions are passed to the
user, unscanned. If you enable this option, consider the Symantec advisory that viruses and other malicious
code can be embedded in many file types, including image formats. Use a comma or semicolon as a delimiter to
separate file types. For example: .gif; .tif.

3. Click Save Changes.

Known File Type Management (Kaspersky or Sophos)

In addition to the manual file extensions lists, Content Analysis can, depending on the antivirus vendor, apply specific rules,

27 of 117
Advanced Secure Gateway - Content Analysis Administration

(Ignore, Scan, Block) to specific types of data. This feature is only available if your appliance is licensed to use either the
Kaspersky or Sophos AV engine. Instead of simply examining the file extension associated with each file, the appliance
examines the apparent data type to determine the correct type of file.

Apparent Data Types allow Advanced Secure Gateway to identify data using the actual file signature and information in the
HTTP header rather than by file extensions. For example, it can identify graphics (such as JPG and GIF files), documents,
archives, executables, encodings, media, macros, and even recognizes all files within an archived or compound Microsoft file.

Note: If an individual file in a compound file is specified to be blocked, the entire compound file
is blocked. For example, if a zip file contains Word files and JPG files and by policy Word files
are allowed while JPG files are blocked, the entire zip file is blocked.

To specify apparent data types and actions for each type:

1. In the Global Options field, select Apply Global Options before Sending to Antivirus Engines. This option applies
your selected actions against the most common file types.

2. Click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you want to take action on.

n Ignore—The file is served back to the Proxy module without being scanned by the Content Analysis module.

n Block—No scanning occurs and the Content Analysis module returns a response to the Proxy module that the
file was blocked (code type: file_type_blocked).

n Scan—The appliance scans the object for malicious content and returns the content or modified response to the
Proxy module.

3. For each configured vendor, determine whether to apply Global Options or to use vendor-specific options. To use
vendor-specific options, click the Ignore, Scan, or Block radio buttons to specify policy for each of the file types you
want to take action on. If you choose to use the unique file options for a specific antivirus vendor, check the appropriate
box or the actions will be ignored.

4. (Optional) Sophos only—Select Detection of weak types to enable recognition of file types that otherwise might be
difficult for Content Analysis to identify with 100 percent confidence.

5. Click Save Changes.

Set AV Scanning Behavior Options

Antivirus scanning configuration is available in Services > AV Scanning Behavior.

The Content Analysis scanning options allow you to set the parameters for optimal malware scanning.

28 of 117
 Advanced Secure Gateway - Content Analysis Administration

Note: To use more than one AV service while AML is activated, one of the AV services must
be Symantec AV. You cannot use multiple third-party AV services while AML is activated.

Step 1: Configure Advanced Secure Gateway to return cached responses.

Selecting Enabled configures Advanced Secure Gateway to return cached responses to the ProxySG appliance when
applicable. If the hash of the data matches a file that Advanced Secure Gateway has already determined to be clean or contain
a virus, it returns the cached response. This option allows the appliance to learn about traffic patterns on your network and
adjust accordingly.

Step 2: Set the maximum file size.

An individual file size cannot exceed the configured size (1-5120 MB). This limitation also applies to each file within an archive.
The default maximum file size is 100 MB.

Step 3: Configure policies for antivirus exceptions.

These options define how Advanced Secure Gateway behaves when a scanning timeout or a scanning error occurs. The
behavior is as follows:

n Block—If selected for an error type, the file is dropped

n Serve—If selected, the file is passed to the client, unscanned.

The default for all options is Block.

Scanning errors are described in the following table.

Error Description

File scanning timeout The time required to scan the file exceeds the specified or appliance limit.

Maximum individual file size A file size exceeds the specified or maximum appliance limit.
exceeded

Maximum total uncompressed An uncompressed file size exceeds the specified or maximum appliance limit.
size exceeded

Maximum total number of files in An archive contains more files than the specified or maximum appliance limit.
archive exceeded

Maximum number of archive An archive contains more archive layers than the specified or maximum appliance
layers exceeded limit. This option is only supported by Kaspersky and McAfee. Sophos generates
an antivirus engine error, which is categorized by the Other errors policy option

29 of 117
Advanced Secure Gateway - Content Analysis Administration

Error Description

Decode/decompress error An error occurred during decoding or during decompression of a compressed file.
For example, a corrupted file or a method used to decompress the file is
unsupported.

Password protected archive A archive file that requires a password to access.

Out of temporary storage space The buffer capacity for files to be scanned is full.

Other errors Any miscellaneous error that causes irregular behavior.

Step 4: Specify vendor-specific options.

Set the following vendor-specific options:

n Engine Settings

n File Scanning Timeout

n File Size/Count Limitations

Engine Settings

The following table describes the vendor-specific engine settings.

Option Vendors Default Notes

Detect Spyware Kaspersky Disabled

McAfee Enabled

Sophos Disabled

Detect Adware Kaspersky Disabled Detect Adware is disabled by default. It can be deselected, but it
cannot be selected without selecting Detect Spyware.

30 of 117
 Advanced Secure Gateway - Content Analysis Administration

Option Vendors Default Notes

Enable Anti- Kaspersky Disabled This option enables the appliance to catch potential viruses for
virus engine which pattern signatures might be unavailable.
heuristic

Because the Kaspersky antivirus engine heuristics option requires

additional system resources, Symantec recommends that you verify
that CPU usage is within the normal operating range for the
appliance before enabling heuristics.

Note: Do not enable Kaspersky heuristics if the current CPU

utilization is in a Warning or Critical state.

Detect Sophos Enabled This option detects adware.

Potentially
Unwanted
Applications
(adware)

Use Sophos Sophos Disabled

Weak Types

Enable Kaspersky Disabled In cases where a file cannot be identified, (when it is encrypted or
Enhanced password-protected) the URL can aid in identifying whether the file
Scanning is likely to be malicious or not. Some HTTP responses may pass
the information required to decrypt files in the originating URL
address of the file, or the HTTP headers of the HTTP transactions
used to request or get the file. Enhanced URL checking may use
this information to decrypt protected files and scan them
unencrypted.

Enable Kaspersky Disabled This option compares the URL in all HTTP request and response
URL Checking headers with a list contained in the Kaspersky antivirus pattern file
of known malicious sources.

File Insight Symantec Disabled Use a file reputation service in the cloud to determine the trust level
of files.

File Scanning Timeout

File scanning timeout is the maximum length of time the file is scanned by the system. When the timeout value is reached, the
scan is abandoned. Some files, though not viruses themselves, are designed to disable a virus scanner. Although these files
cannot disable a Advanced Secure Gateway, they could use up system resources and slow down overall throughput. Defining
a timeout value allows the system to reclaim some of its resources. The default is 800 seconds; a value between 10 and 3600
seconds (60 minutes) is valid.

File Size/Count Limitations

Maximum Total Uncompressed Size: This option is included in the vendor-specific settings. An uncompressed file or
archive cannot exceed the specified size (MB). The maximum is 5120.

31 of 117
Advanced Secure Gateway - Content Analysis Administration

Maximum Total Number of Files in Archive: This option is included in the vendor-specific settings. An archive cannot
contain more than the specified number of files.

Maximum Archive Layers: This option is included in the vendor-specific settings. An archive is a file containing multiple files
and a folder structure. It cannot contain more than the specified number of layers (directories). The maximum is:

n McAfee: 300

n Sophos: 100

n Kaspersky: 40

n Symantec: 40

If any of these options are exceeded, the object is not scanned.

After completing these steps, click Save Changes.

Click Default Settings to restore all configurations to a default state.

Drop Slow Download Connections

ICTM configuration is available in Settings > ICTM.

Intelligent Connection Traffic Monitoring (ICTM) monitors connections between the Proxy and Advanced Secure Gateway
modules in your Advanced Secure Gateway appliance. If connections take longer to complete than expected, (such as with
infinite stream data, like stock tickers or Internet radio), ICTM drops the connection to keep resources available for scanning
other objects.

When ICTM is enabled, the system checks for slow downloads and compares the number of concurrent slow ICAP
connections to the warning and critical thresholds. If the warning threshold is reached, the appliance notifies the administrator
of the dropped URLs (through an e-mail or SNMP trap, if the option is selected). You can use this information to create policy
on the Proxy to ignore these URLs or URL categories in the future.

If the critical threshold is reached, Advanced Secure Gateway terminates the oldest, slowest connections so that the level
below the threshold is maintained.

Optimize ICAP Connections

32 of 117
 Advanced Secure Gateway - Content Analysis Administration

1. Select Settings > ICTM.

2. Check Enable Intelligent Connection Traffic Monitoring (ICTM).

3. Specify how many seconds a connection lasts before it is determined to be a slow download. Symantec recommends
the default value of 60 seconds. The larger the value, the more resources are wasted on suspected infinite stream
URLs. Conversely, lower values might tag the downloads of large objects as slow, thus targeting them for termination
before the download is complete.

4. Specify the warning threshold:

a. Specify how many concurrent connections that have exceeded the duration specified in Step 2 before a warning
message is sent.

Note: By default, an e-mail warning is sent if this threshold is reached. The e-mail is
sent to recipients specified on the Alerts > Alerts Settings page. If you disable this
option, no warning is sent and the resource issue is not logged in the Advanced
Secure Gateway log file.

b. Specify the time interval, in minutes, that Advanced Secure Gateway repeats the warning messages while the

33 of 117
Advanced Secure Gateway - Content Analysis Administration

appliance remains in a warning state. The default value for this option is 0.

c. Check Send an alert any time connections are dropped to report when ICTM drops connections.

5. Configure when connections are dropped:

a. Specify the threshold at which Content Analysis drops older "slow" connections. If the number of concurrent
slow connections reaches this threshold, Content Analysis drops enough of these connections (beginning with
the oldest connections) to maintain a level below the critical threshold. Oldest connections are dropped first.

b. To send alerts whenever connections are dropped, enable the check box Send an alert any time connections
are dropped.

6. Click Save Changes.

Improve Malware Scanning Results with Predictive Analysis

Predictive Analysis configuration is available in Services > Predictive Analysis.

After Content Analysis determines that a PDF, EXE, DLL or Object Link Embedding (OLE) file has not been scanned before,
isn't on the file whitelist, and isn't on the file type exception list, it examines that file with the on-box Cylance Predictive
Analysis service. This service uses advanced artificial intelligence algorithms to identify and block malware, and can be used
to greatly improve the chances of identifying malware. Advanced Secure Gateway supports two predictive analysis services,
each requiring its own subscription license:

n Symantec Advanced Machine Learning - This technology stops new and unknown threats, and adapts to changing
threats without relying on signatures. When Advanced Machine Learning (AML) is engaged to evaluate potential
threats, the engine evaluates a multitude of information contained in the file being analyzed. It uses a proprietary
algorithm to compute the probability of a file being malicious. AML is included with antivirus subscriptions. It is
activated when you activate the Symantec Antivirus license.

For more information on AML, refer to http://www.symantec.com/docs/TECH236704 at MySymantec.

Note: To use more than one AV service while AML is activated, one of the AV services
must be Symantec AV. You cannot use multiple third-party AV services while AML is
activated.

n Cylance Predictive Analysis - The Cylance engine scours files for unique identifying features and converts those
features into a numerical value. That value is run through a proprietary algorithm to produce a score that is a predictive
indicator of whether the file is malicious or not. Cylance Predictive Analysis requires a subscription license.

AML

By combining deep knowledge of threats and files with state-of-the-art machine learning, AML is able to understand
characteristics of files and create a probability score to determine whether a file is safe. Rather than using signatures to match

34 of 117
 Advanced Secure Gateway - Content Analysis Administration

patterns, machine learning uses proven, well-tested, statistical methods. This allows AML to learn about files in a way that
signatures cannot do. Using this approach, new, previously unknown threats can be stopped. Even when the attack changes,
through replication mechanisms, distribution mechanisms or the payload itself, AML works to stop threats effectively.

After scanning a file to understand its characteristics, the AML algorithm computes the probability of a file being malicious.
This probability score determines what the Advanced Secure Gateway should do next with the file.

n Files with a high probability of being malicious will be blocked outright (convicted).

n Files with a low probability of being a threat are tagged "clean" and allowed for normal use (exonerated).

n Suspicious files will be sent to configured AV engines for further analysis.

To control the threshold at which AML file blocking occurs, you can set the Detection Sensitivity to Very Low, Low, Medium,
or High. With a high setting, more files will be blocked but a higher portion will not actually be threats. With a lower detection
sensitivity, fewer files will be blocked, at the risk of some threats not being detected.

1. Select Services > Predictive Analysis.

2. In the Symantec Advanced Machine Learning section, choose the desired Detection Sensitivity.

With a high detection sensitivity, AML will be aggressive in its determination of whether a file may be a threat, at the risk
of blocking files that may not actually be malicious. With a lower sensitivity, AML will block fewer files but with a risk of
some threats not being detected. Symantec recommends a high detection sensitivity for the strongest network
security.

3. Click Save Changes.

Licensing Information

35 of 117
Advanced Secure Gateway - Content Analysis Administration

n Symantec Advanced Machine Learning is included with any antivirus subscription license.

n The Symantec Antivirus subscription requires that AML be enabled; if AML is not enabled when you enable Symantec
AV, Advanced Secure Gateway will automatically enable it for you.

n Go to System > Licensing to verify that the license is active and enabled. See "Activate Licensed Components" on
page 22.

n If you want to turn off AML for troubleshooting purposes, you can temporarily disable the license. Note that you will not
be able to disable it if Symantec AV is active.

Cylance

To take action on the predictive analysis score, two threshold options are available: Block and Sandbox.

n Files with scores equal to or higher than the block threshold are blocked immediately with no further analysis.

n Files that return a result between the block and sandbox thresholds are scanned against antivirus engines enabled on
your appliance and then sent to the configured sandbox server(s) for deeper analysis.

n Files with scores below the sandbox threshold are scanned by the available antivirus engines, but are not subjected to
sandbox analysis.

Set the Thresholds

When Cylance Predictive Analysis scans data, it produces a reputation score. Scores over the defined threshold will block a
file outright, while scores below the defined threshold will be marked as clean.

36 of 117
 Advanced Secure Gateway - Content Analysis Administration

1. Select Services > Predictive Analysis.

2. Specify the threshold:

a. Move the Block Threshold slider between Safe and Threat until you reach the desired value.
The default value is 7.

A file with a score equal to or higher than the block threshold is blocked immediately with no further analysis.
Files with scores below the threshold are forwarded to the available antivirus engines, and if clean, forwarded to
the requesting user.

b. Move the Sandbox Threshold slider between Safe and Threat until you reach the desired value.
Symantec recommends a value of 2.

A file with a score equal to or higher than the sandbox threshold is forwarded to the configured sandbox services
for additional analysis. Files with scores below the threshold are not subjected to sandbox analysis.

Note: Files that return a result between the block and sandbox thresholds are
scanned against antivirus engines and sent to sandbox server(s) for deeper
analysis.

37 of 117
Advanced Secure Gateway - Content Analysis Administration

2. Click Save Changes.

Tip: If the block and sandbox thresholds overlap, Advanced Secure Gateway displays an
error. Make sure that the Sandbox Threshold does not exceed the Block Threshold.

Manage the Cylance Feature Database

Content Analysis checks for any updates to the Cylance Predictive Analysis feature database regularly, but new databases
are only available every three to four months. Because this service uses artificial intelligence based on common behavioral
patterns to identify malware rather than matching known signatures, it's not necessary to update Cylance that frequently.

1. Click Update Patterns to download and install the feature database.

Clicking this button tells the system to check if there is a feature pattern file available that is newer than the one it
already has. If a new file is available, Content Analysis downloads and installs it.

2. Click Force Pattern Update to download and install the feature database.
Clicking this button tells the system to download and install the most recent feature database, even if that same version
is already installed.

File Reputation Service

File Reputation settings are available in Services > File Reputation.

Caution: To use the Symantec File Reputation Service, ensure that Advanced Secure
Gateway has an active Hash Reputation File Reputation subscription license and that it can
access https://frs.es.bluecoat.com. No other configuration is required.

About the File Reputation Service

Content Analysis generates a SHA1 hash for each file it processes. That hash is compared with Symantec's cloud-based File
Reputation classification service to identify known files. The service uses reputation scores, numbers (1-10) that indicate
whether files are known to be trusted or malicious; low scores are less likely to be threats whereas high scores are more likely.
Depending on the reputation score, files are then either blocked if the score is high, passed to the user as safe if the score is
low, or processing continues with anti-virus scanning and sandboxing if the service doesn't know whether the file is malicious.

38 of 117
 Advanced Secure Gateway - Content Analysis Administration

Reputation
Meaning Action
Score

1 Trusted: File comes from known trusted source. File will be passed to the user without further
scanning.

2-6 Unknown: Unknown whether the file is malicious. File will be scanned by antivirus and sandboxing
services, if configured. As files are scanned by the
antivirus engines, positive results are shared with
the File Reputation service.

7-10 Malicious: File is likely malicious. File will be blocked/dropped.

Enable Cache Responses

To store file reputation data (file hashes with reputation scores) in a cache on Content Analysis, make sure Cache
Responses is enabled.

1. Select Services > File Reputation.

2. Make sure Cache Responses is checked.

3. Click Save Changes.

Manually Define File Reputation

Manual file reputation configuration is available in Services > Whitelist/Blacklist.

To prevent unnecessary scanning and analysis on files for which your organization has identified a reputation, you can add a
SHA1 hash to Content Analysis with the manual Whitelist/Blacklist configuration page. This service requires no additional
subscription license; it is included with the base license for the appliance.

During file processing, Content Analysis will check these lists before reaching out to the cloud-based File Reputation service.
Unlike the cloud service, the manual whitelist/blacklist configuration results in either an allow or deny, with no further analysis.
If the hash exists in either list, the file will either be permitted without further analysis (whitelist) or denied without further
processing (blacklist).

39 of 117
Advanced Secure Gateway - Content Analysis Administration

Tip: This feature is based on the SHA1 hash of files. You can use your favorite third party tools
(web-based and offline) to generate a SHA1 hash to use in your whitelist/blacklist
configuration.

Search for known file hashes

If you're not sure if the file you're looking to block or allow has been added to Content Analysis before, you can search each
reputation list.

1. Select Services > Whitelist/Blacklist.

2. Paste the SHA1 hash for a file in the Search for Hash field in either the whitelist or blacklist. Click Search.

3. The Search Results dialog appears.

a. If the search finds the supplied hash in the selected list, the Search Results dialog will advise that the hash
exists in the custom blacklist or whitelist.

b. If you wish to remove the file from the selected list, click Remove in the Search Results dialog.

c. If the search does not locate the hash in the selected list, the Search Results dialog will advise that the hash
does not exist in the custom blacklist or whitelist.

d. If you wish to add the file to the selected list, click Add in the Search Results dialog.

e. (Optional) When prompted, add a comment to identify the submission.

Add a file hash to file reputation lists

40 of 117
 Advanced Secure Gateway - Content Analysis Administration

If you know that the a hash does not exist in the file reputation list you are working with, you can add it.

1. Paste the SHA1 hash for a file to either Add Hash to Blacklist or Add Hash to Whitelist fields, depending on whether
you would like to block or allow user access to this file in future download attempts.

2. (Optional) When prompted, add a comment to identify the submission.

n If the file is already in the hash reputation list, Content Analysis displays an error message.

Export the hash blacklist or whitelist to a file

Whenever you make changes to either hash reputation list, it's a good idea to back up that list. Perform that backup with
Export.

1. Under Bulk Operations in either the Blacklist or Whitelist section, click Export.

2. You are prompted to save a comma-separated values file (.csv) containing your hash reputation list.
The .csv file is named either blacklist or whitelist, followed by the date (for example, blacklist_2015-12-01.csv).

Import the hash blacklist or whitelist from a file

If you have a file reputation list that you have previously saved, you can import it into Content Analysis.

1. Under Bulk Operations in either the Blacklist or Whitelist section, click Import.

2. You are prompted to browse for a comma-separated value file, (.csv). Locate the desired file and click Open. When the
upload is complete, the browser displays a confirmation dialog.

Integrate with Symantec Endpoint Protection Manager

When Content Analysis is integrated with Symantec Endpoint Protection Manager (SEPM), the endpoint computers are
managed by SEPM and proxied through a ProxySG that is connected to Content Analysis. After configuring SEPM to work
with Content Analysis, the administrator will be sent a threat alert when sandbox analysis reveals a file to be malicious. The
admin then has the option of adding the file hash to the file fingerprint list (a blacklist) on SEPM. Once SEPM knows about this
threat, no other end users will be able to run the file since it is on the endpoint blacklist; this stops the lateral spread of a
malicious file on the network. In addition, administrators have the option of running SEPM remediation policy to clean up the
initial infection; it executes the remediation policy that has been configured on SEPM.

Note: Refer to your Symantec Endpoint Protection Manager documentation for detailed
information on configuration and usage.

41 of 117
Advanced Secure Gateway - Content Analysis Administration

SEPM Prerequisites
n Symantec Endpoint Protection Manager 14 or later is required.

n Advanced Secure Gateway uses TCP port 8446 to communicate with the Symantec Endpoint Protection Manager
server. Ensure that any firewalls between Advanced Secure Gateway and the SEPM server are configured to permit
this traffic.

n Advanced Secure Gateway must have at least one sandboxing service configured.

SEPM Configuration
1. Select Sandboxing > Settings > Endpoint Integration.

2. Locate the Symantec Endpoint Protection configuration.

3. Click Enabled.

4. In the Server field, enter the server address for your Symantec Endpoint Protection Manager server.

5. Enter the Username and Password for your SEPM server in the corresponding fields.

6. Click Save Changes.

To view a report of recent threats that Content Analysis has discovered, select Statistics > Recent Threats. You can then
view details about each file and add it to a blacklist. See "Add a Malicious File to a SEPM Blacklist" below

Add a Malicious File to a SEPM Blacklist

When Content Analysis is integrated with Symantec Endpoint Protection Manager (SEPM), you have the option of adding
malicious files to its file fingerprint list, also known as a blacklist. Once this is done, you can stop the lateral spread of a future
infection, preventing other users from running the malicious file. You can also run SEPM remediation policy on the endpoint

42 of 117
 Advanced Secure Gateway - Content Analysis Administration

client that downloaded the malicious file.

Content Analysis offers two ways to blacklist a file after it determines the file is malicious:

n Locate the threat in the Recent Threats report, and then view its detailed report. (See steps below.)

n Click the Open in CAS button in the alert email that Content Analysis sends to the administrator.

To add a malicious file to the SEPM blacklist:

1. Do one of the following:

Select Content Anlaysis > Statistics > Recent Threats, locate the threat in the list, and click View Report. A window
opens with details about the threat.

43 of 117
Advanced Secure Gateway - Content Analysis Administration

or

Open the threat alert email, and click the Open in CAS button. The threat details open in Content Analysis.

2. Locate the Actions panel.

3. Select Add to Symantec Endpoint Protection Blacklist.

Once this is done, no other users will be able to install the malicious file.

4. (Optional) Select Run SEPM Remediation Policy on the endpoint.

Using remediation policy, SEPM cleans the infected computer by removing the threat and reversing its side effects if
the file was executed. Optionally, the file can be saved in a quarantine area for the administrator to examine later. This
option executes whatever remediation policy that has been configured on SEPM.

5. Click Submit.

Configure CounterTack Sentinel Endpoint Security

When malware is detected during sandbox evaluation, Content Analysis can query a CounterTack Sentinel Endpoint Security
server in your network to determine if any users retrieved the infected file. This information is then used in the report that
Content Analysis sends to administrators, and it includes infected workstation IP addresses and hostnames, as well as the
malicious behavior enacted by the threat on those systems. This allows security teams to prioritize alerts and focus first on
threats that have been verified on the endpoint.

Refer to your CounterTack Sentinel documentation for information on setting an administrative username and password for
your CounterTack Endpoint Security service.

44 of 117
 Advanced Secure Gateway - Content Analysis Administration

1. Select Sandboxing > Settings > Endpoint Integration.

2. Locate the CounterTack Sentinel configuration.

3. Click Enable.

4. In the Server field, enter the server address for your CounterTack server.

5. Enter the Username and Password for your CounterTack server in the corresponding fields.

6. Click Save Changes.

Tip: Advanced Secure Gateway uses TCP port 9090 to communicate with CounterTack
Sentinel servers. Ensure that any firewalls between Advanced Secure Gateway and
CounterTack server are configured to permit this traffic.

Integrate Advanced Secure Gateway with Security Analytics

Sandbox reporting configuration is available in Sandboxing > Settings > Security Analytics Integration.

Symantec Security Analytics is an advanced packet capture system that continually records network activity, allowing
network administrators to conduct swift forensic investigations when incidents occur. Once Advanced Secure Gateway and
Security Analytics are integrated and sandboxing is configured on CA, the administrator will get an alert with a link to a
Security Analytics report when a sandbox discovers a threat. The report contains the enriched full packet capture data showing
the network events before and after detection of the malware. By analyzing this report, the administrator can locate the
malware by its URL, IP address, or file hash, and find out additional information about the incident.

Integrate Security Analytics

You must have Security Analytics installed and configured before you can integrate it with Advanced Secure Gateway.

45 of 117
Advanced Secure Gateway - Content Analysis Administration

1. Select Sandboxing > Settings > Security Analytics Integration.

2. Select the Enabled Report check box.

3. Enter the server IP address or host name in the Server field.

4. Set Minutes Before Event and Minutes After Event to define the breadth of this report (0-1440 minutes).
Security Analytics constantly records all network traffic activity. When a sandbox detects malware, the SA report that
is generated includes a window of activity showing the events before and after detection.

5. Click Save Changes.

Note: If your organization employs Symantec Reporter and Management Center, see Settings
> Reporter to aggregate sandboxing results with your Proxy module's access log data.

Viewing the Security Analytics Report

The Administrator Sandboxing Threat alert contains a link to the report on the Security Analytics server. When administrators
receive an alert that a sandboxing threat was detected, they can click the link to view the report in Security Analytics and do
further investigation surrounding the event. Due to the dynamic nature of this report and the time taken to collect data, you may
need to examine the Analytics report several times before all activity is visible.

Caution: The Security Analytics report link will not appear in the alert if real-time sandbox
analysis is enabled ("Wait for Result" is selected) for the malware file type.

The Administrator Sandboxing Threat alert template contains the %SOLERA_PCAP_URL variable which will be replaced with a link
to the report in the alert message (shown below).

46 of 117
 Advanced Secure Gateway - Content Analysis Administration

Send Sandboxing Results to Symantec Reporter

Symantec Reporter configuration is available in Settings > Reporter.

After Content Analysis sends files to be executed in a configured sandbox (see "Sandbox Suspicious Files" on page 52) it
receives a report on that activity. This data is used to populate the Home and Statistics pages, but it can also be sent to
Symantec Reporter where it will be matched with data from the associated Proxy module (based on the connection's
transaction ID) to create a set of reports to be viewed in Symantec Management Center.

Note: This feature requires the following additional software versions to function: Reporter
version 10.4.1 or later, and Management Center version 1.6.1 or later.

Configure Content Analysis to Send Sandbox Logs to Reporter

47 of 117
Advanced Secure Gateway - Content Analysis Administration

The Reporter settings page allows you to configure FTP or secure FTP settings to upload sandboxing logs to a Reporter server
at regular intervals.

1. Select Settings > Reporter.

2. Check Use Reporter to enable the upload of sandboxing reports to the configured Symantec Reporter.

3. (Optional) Check Use Secure if your Reporter deployment uses secure FTP.

4. Set the Server IP address or host name of the FTP server.

5. Set the Username and Password for the FTP service.

6. Set the Path to match the folder on the FTP server in which this appliance's data will be saved.
This should match the path defined on your ProxySG appliance Access Log configuration.

7. Set the Upload Interval in minutes.

By default, this is 15 minutes.

8. Click Save Changes.

9. Click Test Settings to connect to Reporter's FTP service for testing purposes.

48 of 117
Report Malware to Symantec Global Intelligence Network
Enable reporting to Global Intelligence Network in Settings > GIN.

After a sandboxing service detects an infected file, Content Analysis sends a hash of the file, the filename, the URL, and other meta
data to the Symantec Threat Labs for further analysis. If that analysis determines that the file is not malware, the URL is classified
appropriately. If the analysis yields a positive result for malware, the Symantec WebFilter service is updated for all users worldwide
with the URL and file hash classified as malware. The hash of the file is also added to the cache database on the Advanced Secure
Gateway appliance so that it can block future threats at both the file and URL levels.

Enable Global Intelligence Network Threat Collaboration

To share this information with Symantec's Global Intelligence Network, and confirm that you have the best protection:

1. Select Settings > GIN.

2. Select the Notify Global Intelligence Network about suspicious files check box.

3. Click Save Changes.

The Global Intelligence Network powers Symantec’s Web Security portfolio, delivering fast and effective Web 2.0 threat protection for
75 million users worldwide.
About Sandboxing
A sandbox is a testing environment that executes potentially malicious files or URL requests in an isolated area, typically on a virtual
machine. If the sandboxing application finds that an executed file modified system files or infected the system in any way, those
issues will not spread to other areas. Files are executed in their own sequestered area, where they can be tested without posing any
threat to a client computer or network. Because the environment is not actually connected to a network, any malware that executes in
the sandbox environment cannot infect a real device or network.

You can have Advanced Secure Gateway send unknown or suspicious files to an external sandbox appliance or service. Vendors use
Windows virtual machines to execute files, but each vendor produces unique results when evaluating threats. Refer to your sandbox
vendor's documentation for details on how to configure it to accept data from Content Analysis.

n The SymantecMalware Analysis appliance evaluates the threat of a given file in one or more Windows virtual machines or
emulated virtual machines and provides a reputation score as a number between 1 and 10. The higher the number, the greater
the threat.

n Symantec

n The FireEye AX appliance (http://www.fireeye.com/) scan results in a simple Yes or No report. Content Analysis sends an
alert when a Yes response is received.

Note: FireEye NX is not supported on Advanced Secure Gateway.

n The Lastline (https://www.lastline.com/) sandbox is available in either cloud-based or on-premises server configurations.
Sandboxing evaluation with Lastline first compares a hash of the file with a database of known results. If no results are known,
the file is executed and that execution results in a score from 0 (safe) to 100 (malware).

Tip: If Malware Analysis and other sandboxes are configured, Content Analysis sends the file to each
sandbox server simultaneously. If the results from each sandbox analysis match, the MA score will
be reported to the appliance administrator email address(es).

When Content Analysis detects a suspicious file (executable or a common malware attack vector) that's not on the whitelist and
doesn't match any known malware signatures or trigger a malware score from Predictive Analysis, the appliance forwards the file to
Symantec Cloud Sandboxing (enabled via Sandboxing > Settings > General Settings) or an external sandbox for further analysis.
Sandbox services use different methods to identify the actions an executable file would take on a client workstation, including
malicious URL web requests and changes to system files. Once a file is analyzed, sandbox services score the file and report it either
to Content Analysis — or in the case of FireEye NX-series appliances, to the sandbox administrator— to take action. When malware is
reported to Content Analysis, it reports the result to Symantec Global Intelligence Network and updates the cache to take the
appropriate action if the file is requested again.
You can choose which file types Advanced Secure Gateway sends to the sandbox, although all file types that have potential for being
malicious are sent by default. Suspicious file types include executables, Word documents, PDFs, Excel spreadsheets, PowerPoint
presentations, application extensions, and so forth.

Background vs. Real-Time Sandbox Analysis

Advanced Secure Gateway can work with sandboxes in two ways:

n Background sandbox analysis Advanced Secure Gateway simultaneously sends the file to the sandbox and the user. When
the sandbox later comes back with a response, Advanced Secure Gateway will cache that response, so future requests of the
file will be blocked or allowed based on the cached response.

n Real-time sandbox analysis The user does not receive the requested file until the sandbox determines whether the file is safe
or malware.

The sandbox analysis mode (background vs. real-time) is selected per file type or extension. By default, Advanced Secure Gateway
uses background sandbox analysis for all file types and extensions. To enable real-time sandbox analysis for a particular file type, you
must select the Wait for Result option. See "Configure Sandbox General Settings" on page 57 for details.

Load Balancing Malware Analysis Appliances

Advanced Secure Gateway supports load balancing of multiple Malware Analysis appliances. If more than one MA is configured,
traffic is load-balanced based on the processing queue and system health of each configured and enabled appliance. The MA service
health and queued analysis connections can be identified from the MA management console. Analysis queues are managed
separately for SandBox and IntelliVM profiles waiting to be processed.

Caution: Load balancing between external Malware Analysis appliances and Symantec Cloud
Sandboxing may result in a slight detection difference within your load balanced cluster.
Sandbox Suspicious Files
Sandbox configuration is available in the Sandboxing tab.

When Advanced Secure Gateway comes across a file that it hasn't seen before and has a suspicious file type, it can send the file to a
sandbox for further analysis. See "About Sandboxing" on page 50.

Note: By default, users are permitted to download a file when Content Analysis sends it to be
analyzed by a configured sandbox. If a threat is detected, that detection is added to the system
cache, and subsequent requests for the same file are denied. For added security, Content Analysis
supports optional real-time sandbox analysis, preventing users from being infected during sandbox
analysis.

Workflow
1. Make sure the sandboxing license is active:

a. Select System > Licensing.

b. Verify that the Sandbox Broker components are selected and the subscription has not expired.

2. Configure the appropriate sandboxing vendor:

n "Configure a Symantec Malware Analysis Sandbox" below

n "Configure a FireEye Sandbox" on page 55

n "Configure a Lastline Sandbox" on page 56

Note: The Symantec Cloud Sandboxing service does not require additional configuration.

3. Enable the sandbox service(s) you are using. See "Enable Sandbox Services" on page 58.

4. Select which file types and extensions to send to the sandbox server, and specify whether you want to use background or real-
time analysis for each file type. See "Set Sandbox File Scanning Preferences" on page 58.

5. Monitor sandboxing results with "View the Sandboxing Report" on page 82.

Configure a Symantec Malware Analysis Sandbox

Malware Analysis configuration is available in Sandboxing > Settings > Symantec Malware Analysis.
 Note: Verify that the Sandbox Broker license is active and enabled: System > Licensing.

The Symantec Malware Analysis (MA) appliance evaluates the threat of a given file in one or more Windows Virtual Machines or
emulated Virtual Machines and provides a reputation score as a number between 1 and 10. The higher the number, the greater the
threat.

You can configure Advanced Secure Gateway to send unknown suspicious files to a Malware Analysis appliance or to an external
Content Analysis 2.1 appliance (which includes Malware Analysis) for further analysis. To do so, specify the IP address, port, and
credentials of the appliance; then, enable the profiles and tasks you want to test with.

1. In the Content Analysis tab of the Advanced Secure Gateway management console, select > Sandboxing > Settings >
Symantec Malware Analysis.

2. To define a CA or MA server, click Add in the Servers panel. The Add Server dialog opens.

3. Enter the IP address, port number, and administrative credentials used to access the CA or MA appliance:

n For integration with Content Analysis on-box sandboxing, specify port 8082 (requires CA v2.1 or later).

n For integration with standalone Malware Analysis, use the default port 443.

4. (optional) Click Test to validate the configuration. Close the validation window

5. Click Add. The MA server is listed in the Servers panel.

Tip: Click the Malware Analysis IP address to log in to its Management Console.

6. (optional) Repeat steps 2-5 to add additional MA appliances to your sandbox configuration.
 7. (optional) Select Submit to SandBox to enable MA's emulation feature.

n MA offers two environment types: IntelliVM, which executes files in a full Windows XP, Windows 7, or Windows 8
Virtual Machine, and SandBox, which executes files in an emulated Windows environment. Each malware scanning
environment identifies malicious URLs and activities performed when a suspicious file is executed. However, only
IntelliVM profiles fully replicate a user workstation. Some malware behaves differently when executed in a SandBox
environment than a Windows workstation, and that difference can result in some files not being properly identified as
malware. However, with only SandBox emulation enabled, MA scanning will be faster and use fewer resources than
with IntelliVM profiles.

n If you enable SandBox and IntelliVM profiles, MA will execute suspicious files in both environments.

n For maximum protection, send suspicious files to both the MA SandBox as well as the configured IntelliVM profiles.
However, keep in mind that MA Sandbox emulation is very labor intensive.

8. To set the Threat Threshold, move the slider to the left or right. The default value is 7.
Files that score at or above the threshold are considered threats, while those files that score below the threshold are considered
safe.

9. Enable the tasks you want to test with. A task is an execution of a sample file or URL in a defined environment (operating
system profile + testing plugin script). A plugin contains a specific set of actions or applications that are tested during sandbox
evaluation. If you enable more than one task, each enabled MA will execute suspicious files in each IntelliVM profile as well as
in sandbox emulation, if that option is enabled. For each additional plugin with the same profile, Content Analysis will generate
an additional task per profile on Malware Analysis. Refer to your MA documentation for details on the available plugins.

10. Verify that each Malware Analysis is enabled; select the check box in the Enabled column if necessary.
 11. Click Save Changes.

12. Click General Settings and enable Malware Analysis in the Sandbox Services panel.

13. Click Save Changes.

Caution: Make sure that the naming for each IntelliVM profile on each MA is consistent. If one
MA has a Windows 8 profile with the name "Windows8", every enabled MA must have a Windows 8
IntelliVM profile with that same name. Advanced Secure Gateway will report an error if an enabled
profile does not exist on all enabled Malware Analysis appliances.

Next Step: "Set Sandbox File Scanning Preferences" on page 58

Configure a FireEye Sandbox

FireEye AX sandbox configuration is available in Sandboxing > Settings > FireEye.

Advanced Secure Gateway supports only one model of FireEye appliances, the FireEye AX. FireEye NX is not supported.

Note: Verify that the Sandbox Broker license is active and enabled: System > Licensing.

FireEye AX sandbox scans result in either a positive or negative malware found response.

1. At the top of the Advanced Secure Gateway web management console, select Sandboxing > Settings > FireEye.
 2. Check Use FireEye AX and enter the server IP address and administrative credentials used to access the FireEye appliance.

3. Click Save Changes.

4. Click General Settings and enable FireEye in the Sandbox Services panel.

5. Click Save Changes.

Tip: Advanced Secure Gateway uses SSH on TCP port 22 to communicate with FireEye
AX appliances. If your network has a firewall deployed between your Advanced Secure Gateway and
FireEye appliances, ensure that TCP port 22 is open between them.

Next Step: "Set Sandbox File Scanning Preferences" on page 58

Configure a Lastline Sandbox

Lastline sandbox configuration is available in Sandboxing > Settings > Lastline.

Note: Verify that your sandboxing license is active and enabled: System > Licensing.

The Lastline (https://www.lastline.com/) sandbox is available in either cloud-based or on-premises server configurations.
Sandboxing evaluation with Lastline first compares a hash of the file with a database of known results. If no results are known, the file
is executed and that execution results in a score from 0 (safe) to 100 (malware).

1. In Content Analysis, select Sandboxing > Settings > Lastline. The Lastline configuration screen displays.

2. Enter the server address, API Key, and API token used to access your Lastline server.
 3. Set a Threat Threshold.
The default value is 70. Once set, files scored below the defined threshold are deemed safe, while files that score higher than
the threshold are classified as threats.

4. Click Save Changes.

5. Click General Settings and enable Lastline in the Sandbox Services panel.

6. Click Save Changes.

Tip: Advanced Secure Gateway uses HTTPS (TCP port 443) to communicate with Lastline servers.
Ensure that any firewalls between your Content Analysis and Lastline servers are configured to
permit this traffic.

Next Step: "Set Sandbox File Scanning Preferences" on the next page

Configure Sandbox General Settings

General sandbox settings are available in Sandboxing > Settings > General Settings.

Note: Verify that your sandboxing licenses are active and enabled: System > Licensing.
Enable Sandbox Services

Before or after configuring a sandbox server, make sure you enable the applicable service on the General Settings page.

1. Select Sandboxing > Settings.

2. In the Sandbox Services panel, select the sandbox service(s) you are using: Symantec Malware Analysis, Symantec Cloud
Sandboxing, FireEye, or Lastline.

3. Click Save Changes.

4. (If applicable) If you haven't yet added your sandbox servers, click Configure in the row corresponding to the service. Refer to
one of the following topics for details on defining sandbox servers:

"Configure a Symantec Malware Analysis Sandbox" on page 52

"Configure a FireEye Sandbox" on page 55

"Configure a Lastline Sandbox" on page 56

Note: Symantec Cloud Sandboxing requires no configuration other than activating the license
and enabling the service.

Set Sandbox File Scanning Preferences

The File Types and File Extensions panels provide a list of executable file types and extensions commonly used to distribute malware,
allowing you to select which ones to send to the sandbox servers. To determine the file type, Content Analysis reads the file header
and ignores the filename and extension, while file extension processing relies on the filename alone.
For File Types, you can select which types Content Analysis will send to your enabled sandbox servers, as well as enable real-time
sandbox analysis for selected types. For File Extensions, you can create your own list of file extensions, and Content Analysis will
send files with those extensions to your enabled sandbox servers; you can also enable real-time sandbox analysis for selected
extensions.

With real-time sandbox analysis, the user does not receive the requested file until the sandbox determines whether the file is safe or
malware. Note that real-time sandbox analysis is not enabled by default for any file types or extensions— you must enable the Wait for
Result option for those file types/extensions you want Advanced Secure Gateway to send to the sandbox for real-time analysis. For
files that aren't subject to real-time sandbox analysis, Advanced Secure Gateway will simultaneously send the file to the sandbox and
the user. When the sandbox later comes back with a response, Advanced Secure Gateway will cache that response, so future
requests of the file will be blocked or allowed based on the cached response.

Caution: Make sure that the Proxy module is configured to support ICAP feedback (Trickle object
data at end) to provide users with feedback during the scan. That option is available in the Proxy tab,
under Configuration > Content Analysis > ICAP > ICAP Feedback.

1. Select Sandboxing > Settings.

2. Locate the File Types and File Extensions panels.

 3. Select the file types you want Content Analysis to send to the configured sandbox servers for analysis:

a. In the Sandbox column, check the file types you want to send to the sandbox.

b. In the Wait For Result column, check the file types for which you want to enable real-time sandbox analysis.

4. Select the file extensions you want Content Analysis to send to the sandbox servers for analysis:

a. Click Add, type the extension (not necessary to type the period), and click Add.

b. Repeat for each file extension to be added.

c. In the Wait For Result column, check the file extensions for which you want to enable real-time sandbox analysis.

5. Define the duration Content Analysis will wait for real-time sandboxing results with Timeout (seconds).
The default value is 0, which will result in Content Analysis waiting until the sandboxing analysis is complete, regardless of the
duration. This field supports values of up to 600 seconds.

6. Click Save Changes.

Warning: Because the time it takes to analyze files in sandboxes can vary from a few seconds to a
few minutes, enabling real-time sandbox scanning can result in an increase in the number of open
ICAP connections between the Proxy and Content Analysis modules. After the maximum number of
ICAP connections are used, ICAP requests are queued on the Proxy module. You can monitor
ICAP queues from the Proxy tab, under Statistics > Content Analysis.

Next Step: "View the Sandboxing Report" on page 82

Configure Sandbox Cache Settings

Sandbox cache configuration is available in Sandboxing > Settings > Cache.

Content Analysis has two different sandbox caches that can be enabled/disabled independently:

n Results that the sandbox determined to be a threat are stored in the Threats Cache

n Results that the sandbox determined to be safe are stored in the Clean Cache.

Configure the Cache Settings

 1. Select Sandboxing > Settings > Cache.

2. Select/unselect the Enabled check box to enable/disable the Threats Cache. . After the sandbox analyzes a file and
determines it to be a threat, Content Analysis will store the file in the threats cache if the Threats Cache option is enabled.

3. Select/unselect the Enabled check box to enable/disable the Clean Cache. After the sandbox analyzes a file and determines
it to be safe, Content Analysis stores the file in the clean cache if the Clean Cache option is enabled.

4. Set the Time to live for responses in the clean cache. This option specifies how many minutes a result remains in the clean
cache before it is cleared out. The default is one hour (60 minutes). The range of acceptable values are 10 minutes to 1440
minutes (a day).

Note: Content Analysis only caches a clean result if all configured sandbox vendors are reachable
and deem the file to be safe. If one of the sandbox vendors is unreachable or has some other error,
and another vendor analyzes a file and finds it to be safe, Content Analysis does not cache the result.

Troubleshoot ICAP Errors
ICAP error codes are available as objects in policy for the Advanced Secure Gateway ICAP server only and are useful for creating
policy that is flexible and granular. SGOS 6.5.2 introduced policy actions to react to the results of an ICAP scan. See the ICAP Policy
and Content Analysis Exemption Policy topics for examples on working with the response codes below in policy.

Note: To take action on ICAP scan results, your ICAP request modification rule (or Malware
Scanning configuration) must use the Continue without ICAP/Malware Scanning option enabled to
be able to take action on a given request.

The following table lists common ICAP errors that the Proxy can address in policy:

ICAP Error Codes Available in Policy

ICAP Error Code VPM Object Name Description

Anti-virus Engine Anti-virus Engine The ICAP appliance was unable to load the
Failure Failure configured antivirus scanning engine.

Anti-virus License Anti-virus License The antivirus license on the ICAP device has expired.
Expired Expired

Anti-virus Load Anti-virus Load The ICAP device responded to the ICAP request, but
Failure Failure was unable to begin the file scan because the service
was unavailable.
ICAP Error Code VPM Object Name Description

Connection Connection Failure A connection to the ICAP device could not be

Failure established.

Decode error Decode Error Error detected during file decompression/decoding.

File Extension File Extension The ICAP device has the requested file extension set
Blocked Blocked to Block.

File Type Blocked File Type Blocked The ICAP device identified the file type from the file's
header and found that the detected file type is set to
Block.

ICAP Connection ICAP Connection A configuration mismatch has occurred with plain and

Mode Not Mode Not Supported secure ICAP settings. Verify that your ICAP appliance
Supported and ProxySG appliance ICAP service and policy
objects all support the same set of secure and
insecure connection methods.

ICAP Connection ICAP Connection A connection with the ICAP device could not be

Unavailable Unavailable established.

ICAP Security ICAP Security Error A connection was established with the ICAP device

Error but the security settings between the
ProxySG appliance and the ICAP device could not be
negotiated.

Internal Error Internal Error The ICAP device reported an unspecified error that
prevented the file from being scanned.

Password Password Protected Archive file could not be scanned because it is

Protected Archive password protected.

Insufficient Space Insufficient Space Indicates that the disk is full.

Maximum Archive Maximum Archive The ICAP device reported that the configured
Layers Exceeded Layers Exceeded maximum layers permitted in an archive file have
been exceeded.

Max file size Maximum File Size Maximum individual file size to be scanned exceeds
exceeded Exceeded settings in configuration.

Maximum Total Maximum Total Files The requested file exceeds the configured maximum
Files Exceeded Exceeded number of files permitted in a single archive file.

Maximum Total Maximum Total Size Maximum total uncompressed file size exceeds
Size Exceeded Exceeded settings in configuration. The maximum limit varies by
appliance model.
ICAP Error Code VPM Object Name Description

Request Timeout Request Timeout The requested file failed to load, as the connection
with the origin content server timed out.

Scan timeout Scan Timeout Scan operation was abandoned because the file
scanning timeout was reached.

The default is 800 seconds.

Server Error Server Error The origin content server responded to the user's
request to serve a file with an error.

Server Server Unavailable The origin content server hosting the requested file is
Unavailable unavailable.
 Advanced Secure Gateway - Content Analysis Administration

Monitoring and Alerts

As Content Analysis scans data, statistics for virtually every activity are tracked and either graphed or added to a report. Using
the various statistical reports, you can plan policy changes or determine the effectiveness of features such as cached
response and sandboxing.

64 of 117
Advanced Secure Gateway - Content Analysis Administration

Set Up Alert Delivery Methods

Alert delivery configuration is available in Settings > Alert Locations.

When significant events occur (such as when malware is found or a file is blocked), you can have Advanced Secure Gateway
notify you by sending an email, an alert log entry, or a syslog entry, or an SNMP trap. For each type of event that you want to
be notified about, select the desired alert delivery method.

Alert Delivery Methods

For each type of alert, check the box in the appropriate row for one or more of the following alert delivery methods:

n E-mail: Sends an e-mail to the administrator. To configure e-mail alerts, see "Configure E-Mail Settings" on page 67.

n Logging: Creates an entry in the system log.

n Syslog: Creates an entry in Syslog reporting output. See "Configure Syslog Alerts" on page 68. Entries will be sent via
the Proxy module and the Syslog server configured there.

n SNMP Trap: Sends a trap to the SNMP manager. See "Configure SNMP" on page 68. Entries will be sent via the Proxy
module and the SNMP server configured there.

Event Types

65 of 117
 Advanced Secure Gateway - Content Analysis Administration

You can set Content Analysis to generate alerts for the following types of events:

Event Description

Virus is found A virus was found in an ICAP session. If you have configured e-mail alerts, the URL of the web page where the
virus was found is included in the e-mail. So that you do not accidentally launch the page, the URL is reformatted
to make it unclickable. For example: http://virus.com is rewritten as hxxp://virus.com.

File was passed A file was served to the user who requested it without any Content Analysis scanning.
through without Based on the serve file policy setting in Services > AV Scanning Behavior and Services > AV File Types.
being scanned

File was A file is blocked for any reason other than a virus infection.
blocked For example, the administrator decides to block password-protected compressed files.
(exclude virus
case)

Anti-virus The antivirus update failed due to an error in retrieving or installing the latest image.
update failed

Anti-virus A new version of an antivirus pattern file has been installed.

update
succeeded

Intelligent The maximum specified concurrent slow connection warning or critical thresholds has been reached.
Connection
Traffic
Monitoring
(ICTM)

Reboot A system reboot has occurred on the appliance.

Sandboxing A newly discovered threat that the sandbox identified after it was delivered to the endpoint.
Threat Admin
Alert
(Asynchronous)

Sandboxing The sandbox has identified a threat and blocked it using either real-time sandboxing or because it was found in
Threat Alert the threat cache.

File Reputation Whitelist scanning identified a threat within the configured Whitelisting threat threshold.
Threat Alert

Predictive Predictive Analysis identified a file as potentially or absolutely infected with malware.
Analysis Threat Potentially infected files are sent to the configured sandbox server(s) (if configured) while absolutely infected
Alert: files are blocked.

Test Alerts
Click one of the buttons to send a test alert via each of the available methods.

66 of 117
Advanced Secure Gateway - Content Analysis Administration

Configure E-Mail Settings

E-mail alert configuration is available in Settings > Alerts > Email.

When you enable "Set Up Alert Delivery Methods" on page 65for specific events, you must define an SMTP (Simple Mail
Transfer Protocol) server and specify the e-mail addresses to which notifications will be sent.

67 of 117
 Advanced Secure Gateway - Content Analysis Administration

E-mail Addresses
Sender e-mail address The sender's name will appear in the From line of any e-mail message that Advanced Secure
Gateway sends out. For example: [email protected]

Recipient e-mail address The e-mail addresses to which alerts will be sent when alerts occur. Use a comma to separate
addresses, for example: [email protected],[email protected].

Warning: At least one recipient address is required. If you don't set a recipient address, the
appliance will not send alert e-mails.

Server settings
Server address Your SMTP server hostname or IP address. This is the server that will send alert e-mail to your
administrators.

Server port The port used by your SMTP server. Typically, the port used for SMTP is 25.

Authentication settings
If your SMTP server requires users to authenticate before sending mail, define your SMTP username and password.

When you're done entering your SMTP server settings, click Save Changes.

Configure SNMP
SNMP configuration is available in Proxy > Maintenance > SNMP.

The Simple Network Management Protocol (SNMP) is a widely used method of monitoring computer networks. You can
configure Advanced Secure Gateway to automatically send event notifications to any SNMP server, from Content Analysis >
Settings > Alert Locations.

SNMP configuration is global on the Advanced Secure Gateway appliance, and set in the Proxy tab > Maintenance > SNMP.

Configure Syslog Alerts

Syslog server configuration is available in Settings > Alerts > Syslog.

The syslog feature gives administrators a way to centrally log and analyze events. If you enable syslog alert reporting for any
events, you must also define the syslog server settings.

68 of 117
Advanced Secure Gateway - Content Analysis Administration

1. Server: The IP address or hostname of your syslog server.

2. Port: The port used by your syslog server to listen for incoming data.

3. Protocol: The transport protocol used by your syslog server. Available options are: UDP, TCP, and SSL/TLS.

4. Facility: The level of detail and format, as dictated by your syslog server.

See your syslog server's documentation for more information.

5. Click Save Changes.

Customize Alert Messages

Alert message configuration is available in Settings > Alerts > Messages.

When significant events occur, Advanced Secure Gateway sends alerts to the configured alert delivery methods (e-mail,
SNMP, local log, and/or syslog). These message templates are in plain text and can be customized with variable keywords to
provide context to each alert event. By including variables in the message, you can see, for example, the URL from which an
infected file was downloaded, who downloaded the file, and the name of the virus.

1. Select Settings > Alerts.

2. Click Messages.

69 of 117
 Advanced Secure Gateway - Content Analysis Administration

3. Click one of the icons below to modify the alert message template:

n Displays a template for the alert that includes the alert message text and variable keywords that will be
reported in email, system log, SNMP traps, and syslog messages.

n Displays the HTML code for the alert message that will be sent to users upon exception.

The following variable keywords can be included in message body or subject.

Variable Description

%ACTION Action that was performed (file passed/dropped)

%ADMINMAIL Administrator's e-mail address

%APPNAME Application name (Content Analysis)

%APPVERSION Content Analysis software version

%AVENGINEVERS Antivirus engine version

%AVPATTERNVERS Antivirus pattern version

%AVPATTERNDATE Antivirus pattern date

%AVVENDOR Antivirus vendor

%CAS_REPORT_URL URL to Content Analysis to display a threat report

%CLIENT Client IP address

%COUNTERTACK_ IP addresses and host names of infected workstations

TEXT_DETAILS

%COUNTERTACK_ URL to the CounterTack report

URL

%CYLANCE_DETAILS Cylance threat details

%CYLANCE_SCORE Cylance threat score

%FIREEYE_THREAT_ URL to the FireEye threat report

HTML_URL

%HWSERIALNUMBER Content Analysis appliance serial number

%MACHINEIP Content Analysis appliance IP address

%MACHINENAME Name of the Content Analysis appliance

%REASON Why the event occurred. For example, why was the file scanned?

70 of 117
Advanced Secure Gateway - Content Analysis Administration

Variable Description

%SEP_ID ID of the Symantec Endpoint that made the request

%SERVER Server IP address

%SOLERA_PCAP_ URL to sandboxing report on Security Analytics server.

URL
Notes:

o This variable is included in the Administrator Sandboxing Threat alert template.

o The Security Analytics report link will not appear in the alert if real-time sandbox
analysis is enabled ("Wait for Result" is selected) for the malware file type.

%THREAT_HTML_ Full threat report on Malware Analysis appliance

URL

%THREAT_SCORE Risk score

%TIMESTAMP Time the event occurred

%URL URL from which the file was downloaded

%VIRUS Virus or potentially unwanted software (PUS) name

The % character always precedes the variable name. Capitalization is also important; do not use lowercase
variable names.

4. Click Save Changes.

Tip: To change the order of the variables that are sent in syslog output, edit the message
template and place the variables in the desired order for syslog.

Send System Statistics by Email

Each page in the Statistics tab includes the Email Day Report button. This optional logging tool allows you to send reports for
specific statistics to the administrator email address(es) immediately or at regular intervals.

Email a Report Now

1. Click Email Day Report.

2. Select Send Now. The Send Report dialog opens.

71 of 117
 Advanced Secure Gateway - Content Analysis Administration

3. Select the format Content Analysis will use to send the graphical report:

n JPG image

n PNG image

n PDF file

4. Click Send Now to prompt Content Analysis to send the report to the addresses configured in Settings > Alerts >
Email.

Schedule a Report
1. Click Email Day Report.

2. Select Schedule. The Schedule Report dialog opens.

3. Select the format Content Analysis will use to send the graphical report:

n JPG image

n PNG image

n PDF file

4. Select the days of the week on which you want Content Analysis to email a report for the statistics on this page.
Click once to select, click again to de-select.

5. From the Send report at: drop-down menu, select the time of day (in UTC) to send the report.

6. Click Schedule to save the schedule.

Reports will be sent according to the schedule to the addresses configured in Settings > Alerts > Email .

72 of 117
Advanced Secure Gateway - Content Analysis Administration

Malware Processing Reports

Malware processing reports give you statistical details about the processing the system does so that you can see the
effectiveness of various features.

View Threat Management Results 74

View the Sandboxing Report 82
View the Predictive Analysis Report 83
View the File Reputation Report 84
View the Whitelist and Blacklist Reports 85
View Recent Threats 86
View Cache Hits 88
View Objects Processed 88
View Bytes Processed Report 90
Current Scanning Requests 90
View Historical Requests 91
View Historical Request Results 92
View the CPU/Memory Usage 94

73 of 117
 Advanced Secure Gateway - Content Analysis Administration

You are here: Overview

View Threat Management Results

The Overview Tab is available by clicking on Overview on the top banner of the Advanced Secure Gateway management
console.

When you log in to the Advanced Secure Gateway appliance, the first tab displayed is the Overview Tab. Information in this
tab is displayed in the form of widgets; each of which provide information on different aspects of your Threat Protection
solution.

Summary
The Summary widget displays high-level information about detections and system status since the appliance was last
powered on. Show screen...

74 of 117
Advanced Secure Gateway - Content Analysis Administration

Threat Lab Statistics

The Threat Lab Statistics widget displays the threats detected by Symantec's Threat Analysis Laboratory on a daily basis.
This information is derived from Threat Analysis team's own scans as well as from Content Analysis and Advanced Secure
Gateway appliances in the field that have Share Sandboxing Results with Global Intelligence Network enabled. Show
screen...

An expanded view of this information is available at the Blue Coat Threat Lab portal at https://www.bluecoat.com/bc-labs-
home. To ensure that your appliance is sending results from Sandbox detection, see Report Malware to Symantec GIN.

75 of 117
 Advanced Secure Gateway - Content Analysis Administration

Security Modules
The Security Modules widget reports the number of files that have been processed, and of those, how many have been
blocked and by what service, (Proxy policy, Content Analysis virus or malware scan, or Sandboxing execution). This report is
generated based on the persistent data metrics provided by the Proxy security module. Show screen...

The results of this scanning are broken down by the various methods by which a user's request can be denied:

n Blocked by Appropriate Use Policy - Tracks requests that have been denied due the configured rules in proxy policy,
(such as www.gambling.com DENY). The following exceptions trigger this statistic:

content_filter_denied
coach
client_failure_limit_exceeded
geoip_denied
license_expired
license_suspended
license_exceeded
policy_redirect
policy_request_redirect
policy_time_quota_exceeded
policy_time_quota_warning
policy_volume_quota_exceeded

76 of 117
Advanced Secure Gateway - Content Analysis Administration

policy_volume_quota_warning
server_request_limit_exceeded
method_denied
notify
notify_missing_cookie
tcp_error_geoip_restricted

n Blocked by Security Policy - Tracks requests that, during policy evaluation, failed to meet the security constraints set
in policy. The following exceptions trigger this statistic:

authentication_failed
authorization_failed
bad_credentials
connect_method_denied
dns.respond
dns.respond.a
dns.respond.aaaa
dns.respond.ptr
password_override
ssl_server_cert_expired
ssl_server_cert_ocsp_check_failed
ssl_server_cert_ocsp_status_unknown
ssl_server_cert_untrusted_issuer
ssl_server_cert_revoked
ssl_client_cert_expired
ssl_client_cert_ocsp_check_failed
ssl_client_cert_ocsp_status_unknown
ssl_client_cert_untrusted_issuer
ssl_client_cert_revoked
server_authentication_error
policy_denied
silent_denied
invalid_request
unsupported_protocol
unsupported_encoding
bad_credentials
invalid_saml_post
client_failure_limit_exceeded
server_request_limit_exceeded

n Content Analysis - Tracks requests scanned by one or more of the available malware scanning engines in the Content
Analysis module, as well as those requests that were blocked because malware was detected.

n Sandboxing - Tracks requested files that passed URL and Category-based proxy policy, as well as virus and malware
scanning, but that resulted in a high malicious score during sandboxing execution by either Symantec's Malware
Analysis Appliance or a FireEye appliance.

77 of 117
 Advanced Secure Gateway - Content Analysis Administration

Alerts

Identify the number of malware-infected files detected in file uploads or downloads by Advanced Secure Gateway users, as
well as files that matched known File Reputation hashes for files requested over the past week. This at-a-glance report is
helpful in identifying internal clients that are infected and sending out infected files, or if a large number of users attempt to
download content that has been marked as bad by the File Reputation service. You can then examine Symantec Reporter
reports to identify the users involved.

Show screen...

Inbound / Outbound Traffic

View the traffic (in bytes) going Out, destined for the Internet from internal users behind the Advanced Secure Gateway
appliance, (forward proxy) or coming In from the Internet, (Reverse Proxy) destined for an internal application server.
Bypassed traffic, or traffic not matching a configured service listener in the Proxy module, does not populate this graph.

78 of 117
Advanced Secure Gateway - Content Analysis Administration

Show screen...

Files Scanned and Blocked

This widget displays the scan results for the Last 24 Hours, Last 30 Days, or The Last 60 Seconds, for threats detected by
the Advanced Secure Gateway module. File types set within the Proxy module to be allowed or blocked are tracked here by
either Allowed by Policy or Blocked by Policy. For more information on Proxy file policy, see Configure Content Analysis
Scan Policy.

79 of 117
 Advanced Secure Gateway - Content Analysis Administration

Show screen...

Websites / Domains Blocked

The top ten blocked websites and domains are reported here. This widget displays the top ten blocked domains for the Last 24
Hours by default, and via a drop-down, you can modify this report to show the top ten denied domains for The Last 30 Days or
The Last 60 Minutes. Hover your mouse over each pie slice to show the domain it represents.

80 of 117
Advanced Secure Gateway - Content Analysis Administration

Show screen...

Decrypted / Encrypted / Un-encrypted Traffic

View the breakdown of how Un-encrypted (HTTP), Encrypted HTTPS and Decrypted HTTPS traffic is handled through the
Proxy module. Three types of information are displayed:

n Decrypted - Traffic that is encrypted with HTTPS, but has been decrypted with the use of an SSL Interception policy.

n Encrypted - Traffic that is encrypted with HTTPS, and has not been decrypted with policy.

n Un-encrypted - Traffic that is HTTP, FTP, or another plain-text protocol that the proxy is configured to listen for.

Use this report to identify that the SSL interception configuration in your Proxy policy is functioning as expected. If not, it may
be prudent to examine that policy further. It's important to note, SSL traffic that is neither Decrypted nor Un-encrypted
cannot be scanned for malware by the Advanced Secure Gateway module.

81 of 117
 Advanced Secure Gateway - Content Analysis Administration

Show screen...

View the Sandboxing Report

Sandboxing statistics are available in Sandboxing > Statistics.

The Sandboxing report contains the following charts:

n Threats blocked by sandboxing This statistic gets incremented every time a file is blocked because of a malicious
sandboxing verdict. This includes serving from the cache or real-time sandboxing. Chart includes data for on-box and
external sandboxing.

n Files submitted to sandboxing This statistic gets incremented when a file is sent to a sandboxing profile or vendor for
further analysis. If there are multiple profiles or vendors configured (such as two MA profiles and FireEye), there will be
multiple submitted counts per file (three, in this example). In addition, if a zip file contains files that should be
sandboxed, the submitted statistic increments for each file inside the zip. Chart includes data for on-box and external
sandboxing.

82 of 117
Advanced Secure Gateway - Content Analysis Administration

n Threats discovered by sandboxing This statistic gets incremented for every submitted file that is found to be
malicious. (The discovered statistic won’t ever be bigger than submitted.) Chart includes data for on-box and external
sandboxing.

The report can display data for the last hour, day or 30 days. To clear the information displayed on this page, click Reset
Statistics.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

View the Predictive Analysis Report

Predictive Analysis scanning statistics are available in Statistics > Predictive Analysis.

The Predictive Analysis report displays the number of files scored by the Predictive Analysis service, how many of these files
were found to be safe, how many contained threats, and how many were sent to the Sandboxing service for further analysis.
There are individual graphs for each category: Scored, Safe, Threats, Sandbox.

83 of 117
 Advanced Secure Gateway - Content Analysis Administration

View Predictive Analysis scan results for the last hour, day, or 30 days. To clear the data displayed on this page, click Reset
Statistics.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

View the File Reputation Report

File Reputation statistics are available in Statistics > File Reputation.

The File Reputation report (previously known as the whitelisting report) displays the number of files scanned, and of those
files, the number of files allowed based on their reputation score and the processing time savings by minute. View File
Reputation statistics for the last hour, day, or 30 days. To clear the data displayed on this page, click Reset Statistics.

84 of 117
Advanced Secure Gateway - Content Analysis Administration

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

View the Whitelist and Blacklist Reports

Reports for whitelist and blacklist activity statistics are available in Statistics > Whitelist/Blacklist.

The Whitelist/Blacklist statistics page reports on when Content Analysis recognizes file hashes in scanned data that are
defined either whitelist or blacklist in Services > Whitelist/Blacklist. The green circle on the top of this page tracks the
whitelisted files that have been allowed, and the red circle tracks the blacklisted files that have been blocked.

85 of 117
 Advanced Secure Gateway - Content Analysis Administration

Two graphs on this page track the history of blacklist and whitelist matches over the past hour, day, or month. Click the
appropriate button under Show me the past Hour, Day, or 30 Days to change the interval view. Files that are detected and
blocked are also reported on the Content Analysis home page.

To clear the data displayed on this page, click Reset Statistics.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

View Recent Threats

The list of recent threats that Content Analysis has detected is available in Statistics > Recent Threats.

The Recent Threats report lists the 1000 most-recent threats, 20 threats per screen page. For each threat, the report lists the
date and time of detection, the name of the malicious file, the URL link to the file, the user who attempted to download the file,
the type of protocol used for file submission (ICAP or API), Content Analysis suggested action (block or serve),and a link to a
full report on the threat.

86 of 117
Advanced Secure Gateway - Content Analysis Administration

Navigate the List

Use the page controls at the bottom of the report to display other pages:

View Threat Details

Click the View Report link to find out details about the threat.

87 of 117
 Advanced Secure Gateway - Content Analysis Administration

The Score in the detailed report is connected to the module that detected the threat. In the example shown above, the File
Reputation service identified the threat as a file with a reputation score of 10 (known malicious). The Blocked Recurrence
panel lists each time the threat was blocked and the user who attempted to download or open the file.

The Actions panel contains options for those customers who have integrated Content Analysis with Symantec Endpoint
Protection. See "Integrate with Symantec Endpoint Protection Manager" on page 41 and "Add a Malicious File to a SEPM
Blacklist" on page 42.

View Cache Hits

Historical statistics for cache hits are available in Statistics> Cache Hits.

The Cache Hits report shows how many files have been served to users without scanning, because those files were found to
match a hash of an earlier successful scan. This report counts the files that were served from any of the Content Analysis
caches (Antivirus, File Reputation, Predictive Analysis, Sandboxing). Information is shown for the past hour, day, or 30 days.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

View Objects Processed

The ICAP Objects graph is available in Statistics > Objects Processed.

The ICAP Objects report shows how many objects (files) Advanced Secure Gateway has scanned in the past hour, day, or 30

88 of 117
Advanced Secure Gateway - Content Analysis Administration

days. To clear the data displayed on this page, click Reset Statistics.

Show report...

Underneath the graphs, a Recent Threats report lists the specific threats that Content Analysis has found, with the most
recent threats listed first. The report indicates which CA module (such as Antivirus or File Reputation) found the threat, the
source of the threat, the IP address of the client that requested the infected file, and the date and time of the incident. Show
report...

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

89 of 117
 Advanced Secure Gateway - Content Analysis Administration

View Bytes Processed Report

Traffic byte statistics are available in Statistics > Bytes Processed.

The Bytes Processed report allows you to monitor how much traffic, in bytes, Advanced Secure Gateway has processed in the
past hour, day, or 30 days. To clear the data displayed on this page, click Reset Statistics.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

Current Scanning Requests

Statistics for current connection are available in Statistics > Current Requests.

You can review all scanning requests in real time in this report.

Request Columns

90 of 117
Advanced Secure Gateway - Content Analysis Administration

Column Description

Date The date the scan was started.

URL The URL from which the file was retrieved.

ICAP Client IP The IP address of the client requesting the file.

Size The size of the file being scanned.

State The state of the scanning process. Available states are Reading, Queued, and Scanning.

Duration (ms) The amount of time taken to scan the file, measured in milliseconds.

Type Type of connection (Plain or Secure).

Click Refresh to update the connection list since the report was initially displayed on the screen. Click Reset Statistics to
clear the saved statistics in this report .

View Historical Requests

Connection data historical statistics are available in Statistics > Historical Requests.

With this report, you can track the scan history details such as the filename and URL on which it was found.

View Request History

1. Select Statistics > Historical Requests.

2. Set the number of requests to display by entering the number in the Collect last __ requests.

3. Click Save Changes.

4. Click Refresh to display the request history list.

This report contains the following columns.

91 of 117
 Advanced Secure Gateway - Content Analysis Administration

Column Description

Date The date the ICAP scan finished.

URL The URL from which the file was retrieved.

Client IP The IP address of the client requesting the file.

Size The size of the file that was scanned.

Result The result of the scan. See Scan Results for more information.

Duration (ms) The amount of time taken to scan the file, measured in milliseconds.

View Historical Request Results

A list of historical connections can be viewed in Statistics > Historical Requests .

Refer to the proceeding table to understand the results of past ICAP scans for Historical Requests.

Result Description

Clean The file contained no threats.

Parameter Error Incorrect scan parameter defined.

Password Protected The file could not be scanned as it is protected by a password.

Unsupported Compression The file uses an unsupported compression method.

Corrupt Archive The archive file, (zip, rar, gz) could not be opened because it is corrupted.

Too Many Layers The archive file exceeds the maximum number of archive layers supported.

Unsupported The file is not a supported type for analysis.

Too Large The file exceeds the maximum file size limitation.

Uncompressed Size Too Large The archive file exceeds the maximum file size limitation.

Too Many Files in Archive The archive file (zip, rar, gz) exceeds the limit of files in an archive.

Blocked Extension The file was blocked based on the AV File Type configuration.

Ignored Extension The file was not scanned, based on the AV File Type configuration.

Ignored Type The file was not scanned, based on the apparent data type of the file.

Timeout The scan process failed, waiting for the end of the file. Enable ICTM in Settings > ICTM  if
this message appears frequently.

No Patterns The antivirus pattern was not available for the active antivirus vendor.

Update Error An error occurred during the antivirus pattern update. The file was not scanned.

Invalid Option A required scan option is not defined. The file was not scanned.

92 of 117
Advanced Secure Gateway - Content Analysis Administration

Result Description

License Expired The license for the component required for scanning has expired. The file was not
scanned.

Internal Error An internal error occurred. The file was not scanned.

Unknown Error The file was not scanned due to an unexpected error.

Virus A virus was found during the scan.

Blocked Type The file was blocked based on the apparent data type of the file. (Kaspersky or Sophos
only).

Insufficient Resources The appliance has exceeded the available resources, (CPU, Disk, Memory). The file was
not scanned. To determine the cause of resource issues, review the Advanced Secure
Gateway .

Internal AV Error The antivirus engine experienced an issue while scanning the file.

AV Load Error The antivirus engine failed to load.

Out of Memory The appliance ran out of available memory while the file was being scanned.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information.

93 of 117
 Advanced Secure Gateway - Content Analysis Administration

View the CPU/Memory Usage

CPU and Memory Usage statistics are available in Statistics > CPU/Memory Statistics.

CPU Usage Statistics

The CPU Usage report shows CPU utilization, as represented as a percentage of available cycles at a given point in time, for
Advanced Secure Gateway. Advanced Secure Gateway displays information for the past hour, the past day, and month.

If you find that the CPU consistently uses over 90% of the available cycles, you can reduce load on the appliance by applying
policy to the associated Proxy to restrict the types of files sent to Advanced Secure Gateway. If this behavior persists, your
Advanced Secure Gateway system may be undersized for the amount of traffic your users generate.

Memory Usage Statistics

94 of 117
Advanced Secure Gateway - Content Analysis Administration

Advanced Secure Gateway displays memory usage information for the past hour, day, and 30 days on this page. It is normal to
see occasional spikes in memory usage during periods of high load, but if Content Analysis sustains a memory utilization
value beyond 90% for more than a day, consult Symantec Support for assistance.

Use the Email Day Report button to send the details on this page to the administrator email accounts (defined in Settings >
Alerts > Email). See Email Day Report for more information..

95 of 117
 Advanced Secure Gateway - Content Analysis Administration

Manage the System Logs

Set the System Log Parameters 96
Review System Activities 98

Set the System Log Parameters

Log parameter configuration is available in Settings > Logging.

Use these settings to set logging options for various Content Analysis modules. Each entry under Module is a section of code
that serves a certain purpose (such as AUDIT, ICAP, INTERNAL, and SNMP). Logging by module allows a more finite
understanding of what is occurring in the product. Use the File column to define how much detail is included in the log file that
is saved to the appliance, and the Syslog column to specify the detail level of events sent to your Syslog server.

1. Select Settings > Logging.

2. In the File and Syslog columns, click the row corresponding to the module for which you want to set the log severity.
The interface displays a drop-down, as shown below.

3. In the drop-down list, select a file error severity level for the module.
Depending on the log file, some or all of the following options are available: None, Critical, Error, Warning, Info,
Debugging. Setting the severity alters how verbose each log message is, from most verbose, (DEBUGGING) to least
(CRITICAL). Select NONE to disable log reporting for each of the output options.

Caution: The INFO and DEBUGGING levels produce many log entries and are not
recommended as permanent settings. Only enable these levels when requested by
Symantec Support to troubleshoot a problem; then return the setting to a less verbose
level.

96 of 117
Advanced Secure Gateway - Content Analysis Administration

4. Click Save Changes.

97 of 117
Review System Activities
The system logs can be viewed in Utilities > System Logs.

Use this page to review the Advanced Secure Gateway subsystem activity logs. All functions performed by Advanced Secure
Gateway appliance are logged. Typically, this information is only useful when troubleshooting an issue with the assistance of a
Symantec Support engineer or partner.

The logs in this list, along with web logs and the system configuration can be sent to Symantec Support via the Utilities >
Troubleshooting page.
 Advanced Secure Gateway - Content Analysis Administration

Administrative Tasks
Define an Administrative Login Message 100
Update Antivirus Pattern Files 101
Install a New System Image 102
Archive or Restore the System Configuration 105

99 of 117
Advanced Secure Gateway - Content Analysis Administration

Define an Administrative Login Message

Administrative login messages can be configured in Settings > Consent Banner.

The consent banner is the message that displays when administrators log in to Advanced Secure Gateway management
console and CLI via SSH or serial console. Enable this banner if your organization requires users to comply with an acceptable
use policy or to inform users of the consequences of unauthorized use. When enabled, users must accept the terms defined in
the banner prior to accessing the management console. By default, the login banner is disabled.

Enable and Configure the Login Banner

1. Select Settings > Consent Banner.

2. Click the Show Consent Banner check box to enable the display of the banner text on the login page.

3. In the Banner Text field, enter the text that you would like users to view and accept when they log in. Up to 2000
characters are supported in this field.

4. (Optional) Click the Show Consent Banner Logo check box to display your company logo.

5. To select the logo image, click Upload New Banner Logo. Browse to the location of the image, select the file, and
click Open.

6. Click Save Changes.

7. To view the current banner as configured, click Display Current Consent Banner.

Tip: The supported image formats are JPG, JPEG, BMP, GIF, and PNG. Symantec
recommends an image size of 550 pixels by 100 pixels. Advanced Secure Gateway
automatically scales larger images to 550 pixels by 100 pixels to conform to the dimensions of
the Consent Banner.

100 of 117
 Advanced Secure Gateway - Content Analysis Administration

Update Antivirus Pattern Files

Antivirus Pattern File configuration is available in Services> AV Patterns.

Note: Advanced Secure Gateway communicates with several URLs that end with
*.es.bluecoat.com. To ensure that these updates are retrieved without issue, Symantec
recommends that you allow Advanced Secure Gateway to reach that domain on ports 80 and
443 without authentication, SSL interception or firewall interruption. Advanced Secure
Gateway automatically checks for new engines and pattern files every 5 minutes.

Caution: You can enable up to two AV engines while AML is activated:

- If you enable one AV engine, it can be any available engine.
- If you enable two AV engines, one of them must be Symantec AV. You cannot use multiple
third-party AV engine while AML is activated. Doing so is unsupported and will have a negative
impact on performance, leading to dropped ICAP connections or system reboots.

If the Advanced Secure Gateway appliance has been running AML with more than one
activated third-party AV engine, refer to [KB link] for instructions on returning the appliance to a
supported configuration.

AV Update Details
Column Description

Vendor Displays the antivirus vendor.

Version Displays the version of the antivirus engine that is in use.

Pattern Version Displays the version of the pattern file used by the antivirus engine. It also lists the number of virus
definitions included in the pattern file and the time of the most recent pattern file update.

Virus Definitions Displays the virus unique identification string.

Last Pattern Update Displays the date and time of the most recent pattern update.

Remaining Displays the number of days before your current license is set to expire. If the license has expired,
that date displays, as well as the date on which the grace period expires.

101 of 117
Advanced Secure Gateway - Content Analysis Administration

Column Description

Update

Click Update Now to download and install the virus pattern files for the specified vendor. Clicking
Update Now tells the system to check if there is a virus pattern file available that is newer than the
one it already has. The update is either a differential update or a full update, based on the update
mechanism that your chosen antivirus vendor supports.

Click Force Update Now to force Advanced Secure Gateway to download and install the latest
virus pattern files for the specified vendor. Even if you have the latest version installed, this option
overwrites the file versions currently residing on the appliance.

Update All Now

Use the Update All Now option when you are using pattern files from multiple AV vendors. This option instructs Advanced
Secure Gateway to check if there are newer virus pattern files available than those currently installed on the appliance. The
update is either a differential update or a full update, based on the update mechanism of the specific antivirus vendor.

Force Update All Now

Use the Force Update All Now option when you are using pattern files from multiple AV vendors. This option forces
Advanced Secure Gateway to download and install the latest virus pattern files for all configured vendors. Even if you have the
latest version installed, this option overwrites the file versions currently residing on the appliance.

Downloads
Use the Downloads list to monitor the status of AV pattern and engine downloads.

Install a New System Image

System image management is available in System> Firmware.

102 of 117
 Advanced Secure Gateway - Content Analysis Administration

Manage System Images

Advanced Secure Gateway stores up to five images on the system. The image that is marked as the default image will be
loaded the next time the appliance is rebooted. If the maximum number of images are stored on your system and you download
a sixth image, Advanced Secure Gateway deletes the oldest unlocked image to make room for the new image.

Select the following options as necessary:

n Default: The default image will be loaded the next time the system is rebooted.

n Locked: Protects the image from being deleted. If you don't want Advanced Secure Gateway to automatically replace
an image when you retrieve new images, you should lock the existing image.

n Booted: Indicates whether the image has been booted at least once in the past.

n Delete: Click the circled X to remove an image you no longer need. Note that you cannot delete locked images.

n Save Changes: Commits your changed default, locked, and deleted selections.

n Reboot System and load saved default system image: Restart Content Analysis and load the image selected as
default.

Download the System Image from MySymantec

WhenSymantec has new system images available, they will be posted on MySymantec where you can download them and
install on Advanced Secure Gateway.

To download system images from MySymantec:

1. Go to https://mysymantec.force.com/customer/s/.

2. Select Downloads > Network Protection (Blue Coat) Downloads..

3. Select Blue Coat Product Downloads.

103 of 117
Advanced Secure Gateway - Content Analysis Administration

4. When prompted, log in with your MySymantec credentials.

5. Select Advanced Secure Gateway.

6. Select your appliance model.

7. Select a software version.

8. Accept the License Agreement.

9. Select the file(s) to download and click Download Selected Files.

Note: The first time you download files, you are prompted to install the Download
Manager. Follow the onscreen prompts to download and run the installer. For more
information, refer to https://www.symantec.com/support-center/getting-started.

10. The Download Manager window opens. Select the download location.

Note: Complete instructions are also available online at:

https://www.symantec.com/support-center/getting-started
Bookmark this page for future reference.

11. Put the image on a web server or workstation that the Advanced Secure Gateway appliance can access.

Retrieve an Image from a Web Server

After downloading an image from MySymantec, you can place it on a web server and then install it on Advanced Secure
Gateway.

1. In the Advanced Secure Gateway management console, select System > Firmware.

2. In System Image Retrieval, enter the HTTP or HTTPS URL from where the image is to be retrieved. The image
download process works with any HTTP server, and HTTPS servers configured with trusted certificates. If your
HTTPS server does not have a trusted certificate, use an internal HTTP server for image and license downloads.

3. Click Retrieve Image.

4. After the image is finished loading, select the new system image as the default and click Save Changes.

5. Click Reboot System and load saved default system image.

Upload an Image File

After downloading an image from MySymantec, you can place it on your local workstation and then install it on Advanced

104 of 117
 Advanced Secure Gateway - Content Analysis Administration

Secure Gateway.

1. In the Advanced Secure Gateway management console, select System > Firmware.

2. Click Upload System Image.

3. Select the image file and click Open.

4. After the image is finished loading, select the new system image as the default , and click Save Changes.

5. Click Reboot System and load saved default system image.

Archive or Restore the System Configuration

Manage system configuration files in Utilities > Configuration.

Back up and restore the Advanced Secure Gateway configuration as an XML file. As a best practice measure, back up your
appliance configuration before making significant changes.

n Download Entire Configuration: To back up the current configuration, click Get Configuration. The configuration
archive, config.xml, is saved in the Downloads folder on the workstation.

n Upload Entire Configuration: To restore a configuration, click Choose File and navigate to the location of a
previously saved config.xml file on your workstation.

Not all elements of your Advanced Secure Gateway appliance configuration can be saved/restored. Administration details and
network information defined in the initial deployment of your appliance must be manually assigned. The following components
are included in a backup/restore config.xml file:

n Global Antivirus Policy

n Kaspersky Policy

n Sophos Policy

n Alert Settings

n Alert Templates

n SMTP Settings

n Consent Banner

n Custom Logo

n NTP Settings

n Timezone Configuration

n HTTP Settings

105 of 117
Advanced Secure Gateway - Content Analysis Administration

n SNMP Settings

n Sandboxing Settings

n Predictive Analysis Settings

n Blacklist/Whitelist Settings

n File Reputation Settings

106 of 117
 Advanced Secure Gateway - Content Analysis Administration

Troubleshooting and Support Utilities

Review System Activities 109
Review the Web Logs 109
Inspect Traffic 110
Send Diagnostic Information to Symantec Support 112
Restart System Services 113
Clear File Caches 113
Test Network Connectivity 114
Onboard Diagnostics 115
Manually Scan Files for Threats 115
View and Export the System Information File 116

107 of 117
Advanced Secure Gateway - Content Analysis Administration

108 of 117
 Advanced Secure Gateway - Content Analysis Administration

Review System Activities

The system logs can be viewed in Utilities > System Logs.

Use this page to review the Advanced Secure Gateway subsystem activity logs. All functions performed by Advanced Secure
Gateway appliance are logged. Typically, this information is only useful when troubleshooting an issue with the assistance of a
Symantec Support engineer or partner.

The logs in this list, along with web logs and the system configuration can be sent to Symantec Support via the Utilities >
Troubleshooting page.

Review the Web Logs

Web server logs can be found in Utilities > Web Logs.

Used for troubleshooting research by Symantec Support, the Web Logs page displays a list of the logs generated by the
Advanced Secure Gateway web server subsystem. At the instruction of a Symantec Support engineer, click to view the
selected log file or to download the selected log file.

View Web Logs

Clicking opens the log in another window.

109 of 117
Advanced Secure Gateway - Content Analysis Administration

Drag the corners or sides of the log viewing window to resize it.

Download Web Logs

When you click , you are prompted to view or save the file.

Inspect Traffic
The Packet Capture utility can be found in Utilities > Packet Capture.

The Packet Capture utility examines data sent to and from Advanced Secure Gateway. Packet captures (PCAPs) are saved
as PCAP files, compatible with Wireshark and other packet analysis tools that support the same format.

Available Options
n Filter:Define a filter for your packet capture. PCAP filter, using the standard Berkeley PCAP filter syntax.

n Duration: Set the amount of time (in seconds) to capture traffic.

n Start: Begin capturing data.

110 of 117
 Advanced Secure Gateway - Content Analysis Administration

n Stop: Stop the capture and write it to disk

n Refresh: As data is being captured, click Refresh to see the file and its size in the table

After clicking Stop, the appliance saves the capture and displays it in the list at the bottom of the page.

Manage PCAP Files
Once a packet capture has been stopped, the table displays a filename, (based on the time and date of the capture) the file size
and the date it was saved. The first column provides two buttons:

 Download the PCAP file to your local system.

 Delete the PCAP file.

Warning: No alert or confirmation message appears when you click the delete button on this
screen.

Filter Packet Captures

Because unfiltered packet capture files can grow very large in a small amount of time in a busy environment, it's often prudent
to filter your captures to look for only the traffic you're interested in. The following PCAP filter expression examples will help
define your own filters. For a more comprehensive look at Berkeley packet filtering, see http://biot.com/capstats/bpf.html.

Example 1: I want to capture all traffic requested by a single user at the IP 10.0.0.125:

host 10.0.0.125

Example 2: Capture all traffic between a single user and a specific URL: 

host www.eicar.org and host 10.0.0.125

Example 3: Capture all HTTP traffic for a specific user:

host 10.0.0.125 and port 80

Example 4: Capture only TCP traffic:

tcp

111 of 117
Advanced Secure Gateway - Content Analysis Administration

Example 5: Capture traffic for either one user or another: 

host 10.0.0.125 or host 10.0.0.126

Send Diagnostic Information to Symantec Support

The Diagnostic Upload utility can be found in Utilities > Troubleshooting.

In the event that the Advanced Secure Gateway module fails or restarts unexpectedly, it will produce a file that contains
system logs and the contents of memory at the time of the failure. When troubleshooting issues of this nature, Symantec
Support engineers will request the relevant files on this page. They can examine the data contained in each package to identify
the cause of the issue. To send log files to Symantec Support, you must have an open and active support case number. For
information on opening a support case, see https://mysymantec.com.

Upload Log Files to Symantec Support

1. Select Utilities > Troubleshooting.

2. Click Create troubleshooting log to select the pertinent core files to include in your report to Symantec Support.
The Create Troubleshooting Logs dialog opens.

3. Click each core file pertinent to your support case (as directed by a Symantec Support engineer) and click Create.
The system takes a moment to compress the selected files into an archive.

4. Under Troubleshooting Logs, put a check next to the file you want to send to Support. Files are listed based on the
time and date they were created.

5. Click Upload selected logs to service request. The Service Request Upload dialog opens.

6. Enter your support case number into the field in the dialog, click Upload.

7. Click Delete selected logs to ensure that the archive file is removed from the appliance.

Delete Core Files

System core image files are very large and should be deleted as soon as they are no longer necessary.

1. On the Troubleshooting page, select the core image file you wish to delete.

2. Click Delete selected cores.

Troubleshooting Tips

112 of 117
 Advanced Secure Gateway - Content Analysis Administration

If you have trouble uploading files to the Symantec Support server, check for the following issues.

n Verify that SSL intercept for https://upload.bluecoat.com/support/form is not enabled in the Proxy module of
your Advanced Secure Gateway appliance.

n Verify that the support case number is valid and has not previously been resolved.

Restart System Services

The restart utility can be found in Utilities> Services.

Under the direction of a Symantec Support engineer or partner, use the options on this page to restart specific Advanced
Secure Gateway services.

Note: This screen also contains options for generating core dumps. See Generate Core
Dumps for more information.

Available Options
n Refresh Antivirus Engines and Signatures: Stop and start the antivirus subsystem.

n Restart ICAP Service: Stop and start the service responsible for accepting incoming ICAP connections.

n Restart Web Management: Stop and start the web server, responsible for hosting the Advanced Secure Gateway
web user interface.

Clear File Caches

The file cache utility can be found in Utilities > Cache.

113 of 117
Advanced Secure Gateway - Content Analysis Administration

At the suggestion of a Symantec Support engineer, use the Cache utility to clear the files cached by the appliance during
antivirus scanning, file reputation analysis, sandboxing, or predictive analysis. Clearing these caches is not necessary for
normal operation of Advanced Secure Gateway.

Clear Caches
Each of the buttons on this page will clear the cache for the appropriate cache store.

Tip: The sandboxing and file reputation caches persist through a reboot, while the antivirus
cache is cleared when the Advanced Secure Gateway module or the Advanced Secure
Gateway appliance is restarted.

Test Network Connectivity

The Utilities > Ping utility tests the network path between the appliance and another host.

Ping Utility Fields

n Address: Enter the hostname or IP address of the site or host you wish to ping and press the enter key on your
keyboard.

n Ping: Sends four ICMP packets to the host defined in the address field.

The system displays the results below the Ping option.

114 of 117
 Advanced Secure Gateway - Content Analysis Administration

Example
PING bto.bluecoat.com (199.91.134.151) 56(84) bytes of data.
64 bytes from 199.91.134.151: icmp_seq=1 ttl=55 time=24.4 ms
64 bytes from 199.91.134.151: icmp_seq=2 ttl=55 time=24.2 ms
64 bytes from 199.91.134.151: icmp_seq=3 ttl=55 time=24.4 ms
64 bytes from 199.91.134.151: icmp_seq=4 ttl=55 time=24.4 ms
--- bto.bluecoat.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3029ms
rtt min/avg/max/mdev = 24.274/24.420/24.498/0.179 ms

Onboard Diagnostics
On appliance releases of Content Analysis, the Onboad Diagnostic utility can be found in Utilities> Onboard Diagnostics.

View the output from the Advanced Secure Gateway hardware monitoring sensors. If the values on this page display with a
Critical status, contact a Symantec Support engineer for assistance.

Available Sensors
n Voltages: Reports the Voltage, Status and State of components for which the appliance has a voltage sensor such as
CPU cores, Power Supply and others.

n Rotation Per Minute: Reports the speed at which the fans on the appliance spin.

n Temperatures: The results of temperature monitoring for the chassis, CPU and other components that produce heat in
the appliance.

n Power Supplies: The state of the appliance's power supplies.

Note: Power Supply Status is not available for S200 model appliances.

Manually Scan Files for Threats

The Test utility can be found in Utilities > Test.

Use the Test utility to upload a file that you suspect is infected with malware to the appliance for an immediate scan result.
Advanced Secure Gateway scans the file with the same configuration options as if it were transmitted through the Proxy
module. The scan is performed with all active AV and sandboxing engines, and uses the whitelist, if active.

This utility is also useful to Symantec Support, to verify that the appliance is functioning as expected.

115 of 117
Advanced Secure Gateway - Content Analysis Administration

Tip: The eicar.org site provides a benign malware pattern that will trigger a Malware Found
verdict.

Click Select and Scan Test File to select a file you suspect may be bad on your local system. The results of the scan are
displayed on the screen. If a virus is found, the name appears next to Virus Name.

View and Export the System Information File

The System Information utility can be found in Utilities > System Information.

When working with a Symantec Support engineer, one crucial piece of information in determining the cause and solution to an
issue is the System Information file. On this page, the System Information file is presented in a text editor window (in
JSON format) and it contains your appliance configuration as well as the results of all current diagnostic reports for the
appliance.

When prompted by Symantec Support to provide this information, click into the text box, highlight all of the text, (there will be
several pages of information) and copy it. You can then paste the text into an email, your support case, or a text file.

116 of 117
 Advanced Secure Gateway - Content Analysis Administration

117 of 117