Related Topics

About APT Blocker

An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over extended periods of time. APT attacks are highly sophisticated and often target specific, high-profile institutions, such as government or financial-sector companies. Use of this advanced malware has also expanded to target smaller networks and lower-profile organizations.

Because APT attacks use the latest targeted malware techniques and zero-day exploits (flaws that software vendors have not yet discovered or fixed) to infect and spread within a network, traditional signature-based scan techniques do not provide adequate protection against these threats. APT malware is designed to reside within a network for an extended period of time. The communication from the malware is hidden, and all evidence of the presence of the malware is removed, which allows it to evade detection.

APT Blocker is a subscription service that uses full-system emulation analysis by Lastline to identify the characteristics and behavior of APT malware in files and email attachments that enter your network. APT Blocker does not use signatures like other traditional scanners, such as antivirus programs. Files that enter your network are scanned and an MD5 hash of the file is generated. This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS. Lastline compares the file to a database of analyzed files and immediately returns the scan results. If the analysis finds a match to a known malware threat, you can take immediate action on the file, such as to block, drop, or quarantine the file. Results of the file analysis are stored in a local cache so that if that same file is processed again, the results are known immediately without the need to send the MD5 hash of the file to the Lastline data center again.

You can send requests to a local Lastline on-premise APT Blocker server if you have one on your network. In large enterprise networks, some organizations use a local APT Blocker server for security and data privacy purposes. For more information, see Configure APT Blocker Server Settings.

If there is not a match to the available results of a previously analyzed file, that specific file has not been seen or analyzed before. The file is then submitted to the Lastline data center where the file receives deep analysis for APT activity in a next-generation sandbox environment. The analysis occurs at the same time as the file transfer. For proxies other than the SMTP and IMAP proxies, the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, your Firebox can generate an alarm notification. For more information on how to monitor APT Blocker activity, and use WatchGuard Dimension reports to track APT Blocker actions, see Monitor APT Blocker Activity.

About APT Blocker Scan Limits

The maximum size of files that APT Blocker sends to Lastline for analysis is based on the Gateway AntiVirus scan limit. The default scan limit is 1 MB for most Fireboxes. Firebox T10, T15, and XTM 2 Series have a default of 512 KB. Although APT Blocker cannot scan and analyze partial files, most malware is delivered in files smaller than 1 MB in size. Larger files are less likely to spread quickly in a viral manner. For detailed information on scan limits, see About Gateway AntiVirus Scan Limits. For information about how to set the scan limit, see Configure Gateway AntiVirus Actions.

Lastline accepts files of up to 10 MB in size for analysis. If you set the Gateway AntiVirus scan limit higher than 10 MB, APT Blocker does not send the file to Lastline and generates the log message "file size exceeds the submission size limit".

Supported Proxy Policies

APT Blocker can scan files for these proxy policies:

  • HTTP-proxy
  • HTTPS-proxy, if APT Blocker is enabled in the HTTP proxy action used for Content Inspection
  • FTP-proxy
  • SMTP-proxy
  • IMAP-proxy
  • POP3-proxy

For information about APT Blocker in the SMTP and IMAP proxies, see APT Blocker in the SMTP and IMAP Proxies.

Supported File Types

APT Blocker can scan these file types:

  • Windows PE (Portable Executable) files
    This includes files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions used in 32-bit and 64-bit versions of Windows operating systems.
  • Adobe PDF documents
  • Microsoft Office documents
  • Rich Text Format (RTF) documents
  • Android executable files (.apk)
  • Apple Mac application files (.app)
  • JavaScript (.js) files in email attachments only

APT Blocker can also examine files within compressed archives. APT Blocker supports these archive file types:

  • gzip
  • tar
  • zip
  • rar
  • 7z

APT Threat Levels

APT Blocker categorizes APT activity based on the severity of the threat:

  • High
  • Medium
  • Low
  • Clean

The High, Medium, and Low threat levels indicate the severity of malware. This rating is determined based on a score assigned to the file when it is analyzed by Lastline. The High level indicates a higher score because more characteristics of malware were identified in the analysis. We recommend you consider all these threat levels as malware and use the default action of Drop.

For the High, Medium, and Low threat levels, you can assign an action (Allow, Drop, Block, and Quarantine), and enable alarm, notification, and logging settings.

The Clean threat level indicates the file was scanned by the initial file hash check or by upload to the Lastline cloud data center, and determined to be free of malware. The action for the Clean threat level is set by default to Allow and cannot be modified. The Clean threat level helps you track the status of files analyzed by Lastline that are determined to be clean and do not contain malware. Make sure the Log check box is enabled to log the status of clean files.

WatchGuard recommends that you select the Alarm and Log options for all threat levels in your APT Blocker configuration to monitor APT Blocker activity.

Enable and Configure APT Blocker

To enable APT Blocker on your Firebox, you must:

  1. Get a Firebox Feature Key
  2. Manually Add or Remove a Feature Key
  3. Enable Gateway AntiVirus in a Proxy Policy
  4. Configure APT Blocker

APT Blocker is part of the same scan process as Gateway AntiVirus. When you enable APT Blocker in a proxy action, APT Blocker scans content only when content matches a proxy action rule configured with the AV Scan action.

See Also

About Gateway AntiVirus

Give Us Feedback     Get Support     All Product Documentation     Technical Search