Troubleshoot APT Blocker
Incoming files are processed by security services in this order:
Gateway AV > APT Blocker > Data Loss Prevention
APT Blocker checks only occur when the file is allowed by Gateway AV scanning. Data Loss Prevention actions are only applied if Gateway AV or APT Blocker allowed the file.
Troubleshoot APT Blocker File Submission
When first examined, an MD5 hash check of the file occurs. If there is no match to any previously analyzed files, the file must be submitted to the Lastline data center for analysis.
When the file is submitted successfully, it is assigned a task uuid as a reference and included in the log message:
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80 msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe" md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
When the file is submitted to the Lastline data center and the file is identified as a threat, this event log is generated to inform you that the APT Blocker notification has been sent.
APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port: 43130 Destination IP: 220.127.116.11 Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.com Path: /docs/lastline-demo-sample.exe'
This type of log message appears when APT Blocker detects a threat. The log message specifies the threat level, threat name, threat class, malicious activities, destination hostname, and URI path.
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80 msg="ProxyDrop: HTTP APT Detected" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/apt_sample.exe" md5="2e77cadb722944a3979571b444ed5183"
This type of log message appears when a file is scanned and determined as clean and free of malware by the hash file check or upload to Lastline:
Allow 2-Internal 0-External tcp 172.16.182.27 172.16.180.32 52816 80 msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.Standard.1" host="172.16.180.32" path="/VOD/5k_end.zip" md5="221f11af6a29be878ad54f164304f1f2" task_uuid="d1eb81f2519c466e93db4827167dd935" (HTTP-proxy-00)