About APT Blocker

An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over extended periods of time. APT attacks are highly sophisticated and often target specific, high-profile institutions, such as government or financial-sector companies. Use of this advanced malware has also expanded to target smaller networks and lower-profile organizations.

Because APT attacks use the latest targeted malware techniques and zero-day exploits (flaws that software vendors have not yet discovered or fixed) to infect and spread within a network, traditional signature-based scan techniques do not provide adequate protection against these threats. APT malware is designed to reside within a network for an extended period of time. The communication from the malware is hidden, and all evidence of the presence of the malware is removed, which allows it to evade detection.

APT Blocker is a subscription service that uses full-system emulation analysis to identify the characteristics and behavior of APT malware in files and email attachments that enter your network. APT Blocker does not use signatures like other traditional scanners, such as antivirus programs. Files that enter your network are scanned and an MD5 hash of the file is generated. This MD5 hash is submitted to the APT Blocker cloud-based data center over HTTPS. APT Blocker compares the file to a database of analyzed files and immediately returns the scan results. If the analysis finds a match to a known malware threat, you can take immediate action on the file, such as to block, drop, or quarantine the file. Results of the file analysis are stored in a local cache so that if that same file is processed again, the results are known immediately without the need to send the MD5 hash of the file to the data center again.

You can send requests to a local on-premise APT Blocker server if you have one on your network. In large enterprise networks, some organizations use a local APT Blocker server for security and data privacy purposes. For more information, see Configure APT Blocker Advanced Settings.

If there is not a match to the available results of a previously analyzed file, that specific file has not been seen or analyzed before. The file is then submitted to the data center where the file receives deep analysis for APT activity in a next-generation sandbox environment. The analysis occurs at the same time as the file transfer. The data APT Blocker sends to the data center is automatically deleted when analysis completes. For proxies other than the SMTP and IMAP proxies, the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, your Firebox can generate an alarm notification. For more information on how to monitor APT Blocker activity, and use reports to track APT Blocker actions, see Monitor APT Blocker Activity.

About APT Blocker Scan Limits

To use APT Blocker, you must have a feature key that enables APT Blocker and Gateway AntiVirus. The Gateway AntiVirus scan size limit also limits the maximum size of files that APT Blocker sends for analysis. The default scan limits vary by device model. For information on scan limits by model, see About Gateway AntiVirus Scan Limits. For information about how to set the scan limit, see Configure Gateway AntiVirus Actions.

Although APT Blocker cannot scan and analyze partial files, most malware is delivered in files smaller than 1 MB in size. Larger files are less likely to spread quickly in a viral manner.

APT Blocker can analyze files up to 10 MB in size. If you set the Gateway AntiVirus scan limit to higher than 10 MB, APT Blocker does not analyze files larger than 10MB and generates the log message "file size exceeds the submission size limit". In Fireware 12.3 Update 1 or higher, APT Blocker can submit the MD5 hash values of files larger than 10MB to the cloud-based data center.

Supported Proxy Policies

APT Blocker can scan files for these proxy policies:

  • HTTP-proxy
  • HTTPS-proxy, if APT Blocker is enabled in the HTTP proxy action used for Content Inspection
  • FTP-proxy
  • SMTP-proxy
  • IMAP-proxy
  • POP3-proxy

For information about APT Blocker in the SMTP and IMAP proxies, see APT Blocker in the SMTP and IMAP Proxies.

Supported File Types

APT Blocker can scan these file types:

  • Windows PE (Portable Executable) files
    This includes files with .cpl, .exe, .dll, .ocx, .sys, .scr, .drv, and .efi extensions used in 32-bit and 64-bit versions of Windows operating systems.
  • Adobe PDF documents

    In Fireware v12.7 and higher, APT Blocker does not send unrecognized PDFs for analysis unless the Submit PDF files to the data center for analysis check box is selected in the Advanced Settings.

  • Microsoft Office documents
  • Rich Text Format (RTF) documents
  • Android executable files (.apk)
  • Apple Mac application files (.app)
  • JavaScript (.js) files in email attachments only
  • Hanword documents (.hwp) (Korea)
  • ISO (.iso) files

APT Blocker can also examine files within compressed archives. APT Blocker supports these archive file types:

  • gzip
  • tar
  • zip
  • rar
  • 7z

APT Blocker does not scan files that have been added to the File Exceptions list. For more information, see Configure File Exceptions.

APT Threat Levels

APT Blocker categorizes APT activity based on the severity of the threat:

  • High
  • Medium
  • Low
  • Clean

The High, Medium, and Low threat levels indicate the severity of malware. This rating is determined based on a score assigned to the file when it is analyzed by APT Blocker. The High level indicates a higher score because more characteristics of malware were identified in the analysis. We recommend you consider all these threat levels as malware and use the default action of Drop.

For the High, Medium, and Low threat levels, you can assign an action (Allow, Drop, Block, and Quarantine), and enable alarm, notification, and logging settings.

The Clean threat level indicates the file was scanned by the initial file hash check or by upload to the APT Blocker cloud data center, and determined to be free of malware. The action for the Clean threat level is set by default to Allow and cannot be modified. The Clean threat level helps you track the status of files analyzed by APT Blocker that are determined to be clean and do not contain malware. Make sure the Log check box is enabled to log the status of clean files.

WatchGuard recommends that you select the Alarm and Log options for all threat levels in your APT Blocker configuration to monitor APT Blocker activity.

Enable and Configure APT Blocker

To enable APT Blocker on your Firebox, you must:

  1. Get a Firebox Feature Key
  2. Manually Add or Remove a Feature Key
  3. Enable Gateway AntiVirus in a Proxy Policy
  4. Configure APT Blocker

APT Blocker is part of the same scan process as Gateway AntiVirus. When you enable APT Blocker in a proxy action, APT Blocker scans content only when content matches a proxy action rule configured with the AV Scan action.

Related Topics

About Gateway AntiVirus

Video tutorial: Getting Started with APT Blocker