An Advanced Persistent Threat (APT) attack is a type of network attack that uses advanced malware and zero-day exploits to get access to networks and confidential data over extended periods of time. APT attacks are highly sophisticated and often target specific, high-profile institutions, such as government or financial-sector companies. Use of this advanced malware has also expanded to target smaller networks and lower-profile organizations.
Because APT attacks use the latest targeted malware techniques and zero-day exploits (flaws that software vendors have not yet discovered or fixed) to infect and spread within a network, traditional, signature-based scan techniques do not provide adequate protection against these threats. APT malware is designed to reside within a network for an extended period of time. The communication from the malware is hidden, and all evidence of the presence of the malware is removed, which allows it to evade detection.
APT Blocker is a subscription service that uses best-of-breed, full-system emulation analysis by Lastline to identify the characteristics and behavior of APT malware in files and email attachments that enter your network. APT Blocker does not use signatures like other traditional scanners, such as antivirus programs. Files that enter your network are scanned and an MD5 hash of the file is generated. This MD5 hash is submitted to the Lastline cloud-based data center over HTTPS. Lastline compares the file to a database of analyzed files and immediately returns the scan results. If the analysis finds a match to a known malware threat, you can take immediate action on the file, such as to block, drop, or quarantine the file. Results of the file analysis are stored in a local cache so that if that same file is processed again, the results are known immediately without the need to send the MD5 hash of the file to the Lastline data center again.
If there is not a match to the available results of a previously analyzed file, that specific file has not been seen or analyzed before. The file is then submitted to the Lastline data center where the file receives deep analysis for APT activity in a next-generation sandbox environment. The analysis occurs at the same time as the file transfer, and the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, your Firebox or XTM device can generate an alarm notification.
APT Blocker can scan files for these proxy policies:
APT Blocker can scan these file types:
APT Blocker can also examine files within compressed archives. APT Blocker supports these archive file types:
The scan limit for APT Blocker is based on the Gateway AntiVirus scan limit. The default scan limit is 1 MB for most Firebox and XTM devices. Firebox T10 and XTM 2 Series have a default of 512 KB. Although APT Blocker cannot scan and analyze partial files, most malware is delivered in files smaller than 1 MB in size. Larger files are less likely to spread quickly in a viral manner. The maximum file size allowed for APT Blocker is 8 MB. For detailed information on scan limits, see About Gateway AntiVirus Scan Limits. For information about how to set the scan limit, see Configure Gateway AntiVirus Actions.
APT Blocker categorizes APT activity based on the severity of the threat:
All threat levels are considered malware. This rating is determined based on a score assigned to the file when it is analyzed by Lastline. The High level indicates a higher score because more characteristics of malware were identified in the analysis.
For each threat level, you can assign an action (Allow, Drop, Block, and Quarantine), and enable alarm, notification, and logging settings.
WatchGuard recommends that you select the Alarm and Log options for all three threat levels in your APT Blocker configuration.
To enable APT Blocker on your Firebox or XTM device, you must: