Troubleshoot APT Blocker

Incoming files are processed by security services in this order:

Gateway AntiVirus > APT Blocker > Data Loss Prevention

APT Blocker checks only occur when the file is allowed by Gateway AntiVirus scanning. To use APT Blocker, you must have a feature key that enables APT Blocker and Gateway AntiVirus. Data Loss Prevention actions are only applied if Gateway AntiVirus or APT Blocker allowed the file.

Troubleshoot APT Blocker File Submission

When first examined, an MD5 hash check of the file occurs. If there is no match to any previously analyzed files, the file must be submitted to the data center for analysis.

When the file is submitted successfully, it is assigned a task uuid as a reference and included in the log message:

Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80 msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe" md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)

When the file is submitted to the data center and the file is identified as a threat, this event log is generated to inform you that the APT Blocker notification has been sent.

APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port: 43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.com Path: /docs/apt_sample.exe'

This type of log message appears when APT Blocker detects a threat. The log message specifies the threat level, threat name, threat class, malicious activities, destination hostname, and URI path.

Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80 msg="ProxyDrop: HTTP APT Detected" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/apt_sample.exe" md5="2e77cadb722944a3979571b444ed5183"

This type of log message appears when a file is scanned and determined as clean and free of malware by the hash file check or upload to the data center:

Allow 2-Internal 0-External tcp 172.16.182.27 172.16.180.32 52816 80 msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.Standard.1" host="172.16.180.32" path="/VOD/5k_end.zip" md5="221f11af6a29be878ad54f164304f1f2" task_uuid="d1eb81f2519c466e93db4827167dd935" (HTTP-proxy-00)

See Also

About APT Blocker

Configure APT Blocker