Content Scanning

Content Scanning is an option that allows MOVEit DMZ to control what data is sent to and from a MOVEit system based on the content of the data. This process protects a user's system from being infected by viruses or from losing or accepting critical data, typically when MOVEit DMZ is separated from the main system by a firewall. MOVEit DMZ will forward the data using Internet Content Adaptation Protocol (ICAP) to a user's Anti-Virus (AV) server and/or Data Loss Prevention (DLP) server before it completes the transmission. Depending on the results returned by the server(s), MOVEit will allow or block the transmission.

Users must install and configure the AV and/or DLP servers separately. Different scanning servers may have different capabilities. A server may be configured to do AV, DLP or both. You can configure MOVEit to communicate with multiple different AV and DLP servers. You enable scanning at the system level, but you can have only one AV and one DLP server enabled at a time. You can then disable a specific AV or DLP process at the organization level.

Important: When you configure scanning for both AV and DLP, MOVEit DMZ sends the data to both processes simultaneously. When the scanner reports a virus or a DLP policy violation that is configured in MOVEit to block the transmission, the transmission fails.

Anti-Virus

The Content Scanning feature allows scanning of incoming files using a remote anti-virus server. MOVEit DMZ will submit incoming files to the anti-virus server using the ICAP protocol. Files that are clean are then passed into the MOVEit DMZ filesystem.

Overview

MOVEit DMZ currently supports the following anti-virus programs:

• Sophos Anti-Virus Dynamic Interface (SAVDI) scanner, we recommend and have tested against SAVDI v2.0 or later.

  For information on installing and configuring the Sophos AV scanner, refer to your Sophos documentation.

• Symantec Protection Engine, we recommend and have tested against v7.0.2.4.

  For information on installing and configuring the Symantec ICAP AV scanner, refer to your Symantec documentation.

• McAfee Web Gateway
• McAfee VirusScan Enterprise for Storage

  Note: These versions of the anti-virus scan engines support the ICAP protocol (RFC3507 for more information), which is required to interface with MOVEit DMZ. Other "desktop" versions from these same vendors will not work with MOVEit DMZ.

Before you can configure content scanning for incoming files, you must have one of these anti-virus scanners configured on a machine that is accessible to the MOVEit DMZ system.

Note: If you are using the AS2 Module to transfer files, be aware that content scanning does not apply to AS2 transfers. Use MOVEit Central to scan AS2 transfers for viruses.

Configuring Anti-Virus Scanning for MOVEit DMZ Hosts

After you have configured the anti-virus server, you need to set up content scanning for your MOVEit DMZ organizations. To access the Content Scanning settings, you must be logged on as sysadmin. These settings apply to all MOVEit DMZ organizations on the system. Under System Settings, Content Scanning, select Anti-Virus. For a description of each of the settings, see Web Interface - Settings - System - Content Scanning.

You can enable or disable Content Scanning for each organization in Settings - Security Policies - Content Scanning. You need to be signed on as an Organization administrator.

Enabling the content scanning option causes MOVEit DMZ to scan uploaded files as follows:

• The size of the file, if known, must be less than the configured maximum. Files larger than this maximum size are entered into the MOVEit DMZ filesystem without being scanned.
• Files are scanned during the upload and are not entered into the MOVEit DMZ filesystem until the content scanner returns an indication that the file is not infected.
• If the file does have a virus, it will be rejected, and the user will receive an error message.
• If the ICAP server connection fails or the connection limit is exceeded, or if for some reason the file cannot be checked, the upload will be rejected and the user will receive an error message.
• There is no support for re-scanning files, quarantining, or scanning on downloads.

The following screen shows an example of the configuration for a Sophos ICAP AV scanner.

Data Loss Prevention

The Content Scanning feature sends incoming data from file transfers and Ad Hoc transfers, including subject, note/body and attachments, to an external Data Loss Prevention (DLP) server before MOVEit DMZ determines whether to complete the transmission. MOVEit DMZ uses the ICAP protocol to submit incoming data to the DLP server. The DLP server applies configured data protection policies as it scans the data. When the DLP server returns its response, MOVEit configurations determine whether to block, quarantine or allow the transmission. MOVEit logs all DLP policy violations returned by the DLP server.

Overview

MOVEit DMZ currently supports the following data loss prevention (DLP) programs:

• McAfee Web Gateway 7.1
• Symantec Data Loss Prevention (DLP) 12 or 12.0.1

  Note: We only claim support for Symantec DLP version 12 or 12.0.1 when integrated as described specifically in this section. Later versions may not provide scanning results in a consistent manner, potentially leading to false negatives.

• RSA Data Loss Prevention (DLP) 9.6

Before you can configure content scanning for incoming files, you must have one of these DLP scanners configured on a machine that is accessible to the MOVEit DMZ system.

For information on installing and configuring the various scanners, refer to their official documentation. Two of these scanners, McAfee and Symantec, require additional specific changes to their configurations to properly communicate with MOVEit. These requirements are described in the topic "Configuring DLP Scanning for MOVEit DMZ Hosts".

Note: These versions of the DLP scan engines support the ICAP protocol (RFC3507 for more information), which is required to interface with MOVEit DMZ. Other "desktop" versions from these same vendors will not work with MOVEit DMZ.

Note: If you are using the AS2 Module to transfer files, be aware that content scanning does not apply to AS2 transfers.

Configuring DLP Scanning for MOVEit DMZ Hosts

There are three major tasks to implement Data Loss Prevention (DLP) scanning in MOVEit DMZ.

1. Install and configure the external and typically remote DLP server
2. Configure DLP servers for a MOVEit system (you can enable only one DLP server at a time)
3. Configure DLP rulesets for user classes or users for each MOVEit organization

Enabling the content scanning option causes MOVEit DMZ to scan uploaded files as follows:

• The size of the file, if known, must be less than the configured maximum. Files larger than this maximum size are entered into the MOVEit DMZ filesystem without being scanned.
• Files are scanned during the upload and are not entered into the MOVEit DMZ filesystem until the content scanner returns an indication that the file is not blocked for the user that is uploading the file.
• If the file violates a DLP policy, it will be processed according to the MOVEit policy and rulesets, and the user attempting to upload will receive an error message. Note that if a virus is found during a concurrent anti-virus scan, the file is automatically blocked from upload.
• If the ICAP server connection fails or the connection limit is exceeded, or if for some reason the file cannot be scanned, the upload will be rejected and the user will receive an error message.
• There is no support for re-scanning files, or scanning on downloads. The ability to download files is based on the results of the scan when the file was uploaded and rights for the user attempting the download. Quarantined files may be cleared for download under special circumstances.

Two of these DLP scanners, McAfee and Symantec, require additional configurations. Perform the following tasks as appropriate for your installation.

• Adding Required DLP Configuration to McAfee Web Gateway 7

1. Log on to your McAfee Web Gateway as a valid administrator.
2. From the Settings tab, expand Actions, then expand Block.

   You should see the following window.

   

3. Under the Template Name for the DLP Classification Block, click Edit.
4. From the Template Editor window, expand DLP Classification Block, then expand en, and then click html.

   The HTML Editor appears in the right pane.

5. From the right pane, scroll to the following text, "Your data has been blocked by the DLP Filter of McAfee Web Gateway."
6. Under this text, paste the following line:

   <b>Current Rule Name: </b>$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.rules.currentrulename"/>$<br />

7. At the bottom of the window, click the Save Template Changes button.

   Your window should appear as follows:

   

• Adding Required DLP Configuration to Symantec Data Loss Prevention Suite

Note: You should already have configured the policies in Symantec that you want to use.

1. Log on to your Symantec Data Loss Prevention application as an administrator.
2. From the Manage menu, under Policies click Response Rules.

   The list of rules you configured for your system appears.

   

3. For each rule that you want to use:
   1. Click the rule.

      The Configure Response Rule window appears.

   2. Within the Rejection Message box, type the following case-sensitive text that is within quotation marks (do not include the quotation marks, and note the space after the last word):

      "Content blocked due to "

   3. After the last space, type the text that contains the value on which you want MOVEit to match, which would typically be some or all of the name of the rule, but it could be any text that contains the matching value. For example, if your matching value in MOVEit is *CCN*, then you might type, "DLP CCN Policy" or "CCN policy violation", as in the following example.

      

   4. Click the Save button.

After you have configured the DLP server, you need to set up content scanning for your MOVEit DMZ organizations.

• Configuring Content Scanning for DLP for your MOVEit System

1. Log on to MOVEit DMZ as a system administrator, typically SysAdmin.
2. In the left pane, click Settings.
3. In the right pane for Settings, under System, Content Scanning, click Anti-Virus/DLP.
4. To add a scanner, click the Add Content Scanner button.

   The Configure Content Scanning Settings page appears.

5. For each DLP application you want DMZ to access, complete the fields and click Change Content Scanning.

   For a description of each of the settings, see Web Interface - Settings - System - Content Scanning. These settings apply to all MOVEit DMZ organizations on the system.

   Important: You can set Scan Uploads to Yes for only one DLP scanner at a time. That is, only one DLP scanner can be enabled on your system at any give time.

6. Click the Test Content Scanning button to make sure the connection to the scanner works.

• Configuring DLP Scanning for a MOVEit Organization

Repeat this task for each organization in your system that will use DLP content scanning. You will perform four basic procedures:

1. Enable Content Scanning for the organization.
2. Create rulesets, which determine how MOVEit handles files that violate one or more DLP server policies. They can be applied at the user-class level or user level.
3. Create rules for a ruleset to define the action MOVEit DMZ will take for a specific DLP policy or set of matching policies.
4. Assign DLP rulesets to user classes, which will act as defaults for newly created users.

To enable content scanning for an organization, proceed as follows:

1. Log on to MOVEit DMZ as an Organization administrator.
2. In the left pane, click Settings.
3. In the right pane, under Security Policies, Content Scanning, select Data Loss Prevention (DLP).
4. Under Edit Data Loss Prevention (DLP) Settings,click Yes to enable Content Scanning for the organization. This affects the DLP server that is currently enabled for the system.
5. Click Change DLP Settings.

   

To continue and create rulesets and their rules, proceed as follows:

1. In the right pane, under Configure DLP Rulesets, click the Add DLP Ruleset button.

   The Add DLP Ruleset pane appears.

   

2. Complete the fields, and click Add Ruleset.

   For a description of each of the settings, see Web Interface - Settings - Security Policies - Content Scanning - Data Loss Prevention (DLP)

3. In the right pane, under Edit DLP Rules, click Add DLP Rule.

   The Add DLP Rule pane appears.

   

4. For each rule in the ruleset, complete the fields, and click Add Rule.

   For a description of each of the settings, see Web Interface - Settings - Security Policies - Content Scanning - Data Loss Prevention (DLP)

   Success or error messages appear in the ribbon at the top of the pane.

5. When you have added all the rules for this ruleset, click Return to DLP Ruleset.
6. To create additional rulesets and their rules, repeat steps 1 through 5.

To continue and assign DLP rulesets to user classes, proceed as follows:

1. Under the Edit User Class DLP Rulesets section, for a user class, display the drop-down list of rulesets you configured.
2. Select the ruleset that you want to use for that user class.
3. Click the Change Ruleset button for that user class.

   A confirmation pane appears.

4. Click Yes to confirm the change.

   Note that this will apply to all users in the class, including those for whom a ruleset was applied at the user level.

5. Repeat steps 1 through 4 for each user class.

   

To continue and assign rulesets to specific users, which overrides the ruleset assigned to the user class for that user, proceed as follows:

1. In the left pane, click Users.
2. In the right pane, select the appropriate user.
3. In the right pane, for the User Profile, under User Settings, DLP Ruleset, click Change Ruleset.

   

   A User Profile, Change DLP Ruleset pane appears.

4. From the Change DLP Ruleset pane, click the drop-down list, and select the appropriate ruleset for this user.
5. Click Change DLP Ruleset.

You should now be able to test your configurations.

• Testing Data Transmissions with DLP Content Scanning

The following steps are for administrators who configured DLP for an organization to do some initial testing.

1. Create test files with data that violate your DLP policies and with data that will not violate any policies.
2. Log on to MOVEit DMZ as a specific type of user.
3. Upload data by various means, including sensitive and non-sensitive data, also in subject strings and notes/body where possible:
   1. Upload your test files to your filesystem.
   2. Upload your test files as attachments to packages.
   3. Use the Outlook Plug-in to send files as attachments.
4. Review the results, and note the following:
   1. Attempts to upload data that show DLP violations, should be blocked, quarantined or allowed per the action specified in the ruleset for the uploading user.
      • Files, packages or e-mails that were blocked should not appear in DMZ.
      • Files, packages or e-mails that were quarantined will be uploaded, but Download will not be allowed. Files will be tagged, and an audit log entry will be recorded indicating that the file violates one or more DLP policies. Files may be untagged later, at which point normal permissions will take effect.
      • Files, packages or e-mails that were allowed will be uploaded and tagged. An audit log entry will be recorded indicating that the file violates one or more DLP policies.
   2. In Folders, for lists of files that were uploaded with DLP policy violations, the DLP policy violation icon appears to the right of the file name, and depending on the rights of the user, the name of the policy or policies that were violated appears.
   3. In Packages, depending on the rights of the user, the name of the policy or policies that were violated appears following the package information.
   4. In File Information, depending on the rights of the user, more information about the DLP violation and DLP server appears.
   5. Administrators can override policy violations on quarantined files, for example in cases where the violation inappropriately blocked the recipient from downloading the file. For a specific file under the File Action section, administrators can click Clear DLP Policy Violations.

Scanner Availability

If Content Scanning is enabled, MOVEit DMZ checks every few minutes to make sure the enabled AV and/or DLP scanner is available. This is part of the SysCheck routine (see Advanced Topics - System Internals - Scheduled Tasks), which can generate a built-in notification. It first checks the AV scanner and then the DLP scanner. If the either scanner is unavailable, SysCheck sends an email message to the Send Errors To email address and warns that the MOVEit DMZ server will not be able to transfer files until this situation is addressed. When the scanner becomes available again, SysCheck sends an email that states that scanning is now working.

Note: The system administrator should always test the connection when configuring a content scanner. They can also run MOVEit DMZ Check on demand.

Logging

If a file was scanned, file detail pages will display the anti-virus (AV) or the data loss prevention (DLP) server information.

In the following example, the first line of Content Scanning information is for the AV server and the second line is for the DLP server.

If a file fails the scan, the user who uploaded the file will see an error message on the browser page, for example:

Log file entries will report the user-configured name of the AV or DLP server used during the file upload. File records will also report the self-identification, version, and AV virus definition tag or DLP policy violation from the server, for example:

Error code numbers (6100 - 6103) are used to report AV errors. This will help when filtering logs. If an upload fails due to content scanning, the corresponding log table records will contain the AV server name and, if possible, the name of the virus.

Error code numbers 0 and 6150 are used to report DLP policy violations, as follows:

• Error number 0 for violations that have been allowed or quarantined
• Error number 6150 for violations that have been blocked

Notifications

Notification macros for content scanning, if enabled, can report the scan results for both anti-virus (AV) and data loss prevention (DLP) scans.

AV and/or DLP information may be included in the following notifications:

• New File Upload Notification
• File Upload Confirmation
• New Package
• New Package Secure Attach
• New Temp User Package (with password)
• New Temp User Package (with password) Secure Attach
• New Temp User Package (with password link)
• New Temp User Package (with password link) Secure Attach
• New Guest Package
• New Guest Package Secure Attach
• File Non-Delivery Receipt
• File Upload List Notification
• File Upload List Confirmation
• File Not Downloaded List
• File Delivery Receipt
• Package Delivery Receipt
• Package Download Receipt
• Package Deleted By User
• Package User Was Deleted

The standard templates for these notifications do not include the content scanning results. You can add the macros that report the scan results by creating custom notification templates. Custom notifications are set in an organization via Settings | Appearance | Notification | Custom.

Reports

These reports show various types of content scanning activity. Two reports give specific information about scan results: Violations Blocked and DLP Violations (Allowed and Blocked). The remaining reports are maintenance reports that show aggregate counts.

If you are logged in as an organization administrator, the report shows scan results for your organization. If you are logged in as a system administrator, the report can show multiple organizations.

Note: Typically, reports may contain up to 30 days of online audit records and 30 days of online performance statistics, depending on how you run the scheduled cleanup tasks that archive the older data.