3.6.2. Workflow template configuration

The Workflow templates page is found under Policy > Workflow templates after successful login.

These workflow templates define the scanning methods that can be used by the rules.

MetaDefender Core comes with predefined workflow templates that can not be modified, however they can be copied and the created workflow templates are fully customizable.

NOTE: These predefined workflow templates cannot be modified or removed.

It is highly recommended to use less workflow template and rather more rules based on the workflow templates.

images/download/attachments/39346541/image2019-7-3_17-33-9.png

Workflow templatesWhen clicking on a workflow template a windows pops up showing different tabs related to the workflow templates different kind of properties.

Archive

On the Archive tab the archive handling can be enabled or disabled as well as other parameters can be set.

The max recursion level defines how deep extraction should go into the archive, the number of maximum extracted files also can be set as well as the overall maximum size of these files.

It is also possible to disable scanning the archive itself, and a timeout for the whole process can be set as well.

images/download/attachments/39346541/image2019-7-3_17-35-27.png

Archive

Blacklist/Whitelist

During scan it is possible to create blacklists/whitelists where files depending on their checksum or MIME-TYPE and extensions can be skipped. All of these can be stored in the fields on the Blacklist/Whitelist tab. Also it is available to blacklist/whitelist all the files coming from the same group, such as executables, Microsoft Office files and others. When filtering by mime-type or filename, the filter is handled as a regular expression.

Exceptions can be defined in Exceptions (by mime-type) section using regular exceptions. For instance, if all office files have to be blocked except docx files, then Office documents group should be chosen and ^application\/vnd\.openxmlformats-officedocument\.wordprocessingml\.document$ expression should be given as exception.

images/download/attachments/39346541/image2019-7-3_17-36-31.png

Blacklist

Files can also be whitelisted by their checksums. For more information please see Skip by hash page.

Scan

NUMBER OF ACTIVE ANTI-MALWARE ENGINES: You can specify the number of active anti-malware engines required for performing a processing. When disabled, no active anti-malware engine is needed to be up to start a processing.

EXCLUDE ENGINES: Anti-malware engines not to be used in this workflow also can be listed here.

DETECT FILE TYPE MISMATCH: File type mismatch feature can be enabled on the tab. With this feature on, when the extension of the file does not match with the available extensions for the actual file type, the scan result will be Filetype Mismatch.

PER ENGINE TIMEOUT / EXTERNAL SCANNER TIMEOUT / GLOBAL SCAN TIMEOUT: The timeout for the different engines and the whole scanning process also can be set. The maximum allowed size of scanned objects can be set also on this tab as well.

SCAN FAILURE THRESHOLD: It is possible to enable and set a threshold value for the failed engine results. If the number of failed engine results for the currently scanned object reaches this value, then the overall result will also be failed. This threshold value does not have an effect on suspicious or infected results.

SUSPICIOUS DETECTED HANDLED AS: By enabled, you are able to decide if Suspicious result on any particular engine is considered as Infected or No Threat Found result, and it will take consideration into overall process result which also is constraint by threat detected threshold setting. The threat detected threshold setting supports two configuration options INFECTED LIMIT and the SUSPICIOUS LIMIT, and its handling logic will be described as following:

  • If the number of infected engine results is between these values the overall result will be suspicious.

  • If the INFECTED LIMIT is reached the overall result will be always infected.

  • If none of them is reached the overall result will be the highest priority engine result (infected results are ignored).

images/download/attachments/39346541/image2019-7-3_17-38-51.png

Scan

If the provided workflows do not meet your requirements, please contact our support team via the OPSWAT Portal.

MetaDefender Cloud

When MetaDefender Cloud workflow element is enabled, online database of MetaDefender Cloud will be used as source for hash lookups.

Available options:

  1. Use results: INFECTED or ALL RESULTS
    If INFECTED is chosen, then only that result will be accepted as result, otherwise all type of results will be taken into account.

  2. MetaDefender Cloud API key: An API key is necessary to have access to the MetaDefender Cloud database. API Key Information can be found on http://metadefender.com, under Account Information page.

  3. Maximum age of scan results: Only results that are not older than what is set here will be considered as a valid result.

  4. Excluded engines' name: Name of the engines whose results are not to be taken into account.

  5. Minimum hit count: To consider a verdict as a valid one, there should be at least as many result for a hash as it has been set here. (If Use result is set to INFECTED, then only infected results will be counted in.)

  6. Time out: The time interval within which the response should be received from MetaDefender Cloud.

images/download/attachments/39346541/image2019-7-3_17-39-50.png

MetaDefender Cloud

Deep CDR

By enabling Deep CDR, one can convert from a set of supported file types into another (or the same). By doing so lot of vulnerabilities can be got rid out of rendering the resulting file be more safe. Both the types to be sanitized and the target file type can be set. To set the file types that you want to sanitize you should tick on corresponding checkboxes. In addition, you can also tick on "ENABLE FOR ALL FILE TYPES" to choose all supported file types. File name from sanitized files can be defined by using "OUTPUT FILENAME FORMAT" field. For usage and meanings of variables, please refer to Setup output file name page.

By default, MetaDefender Core allows files, where sanitization fails. This behavior can be overridden enabling "BLOCK FILES IF SANITIZATION FAILS OR TIMES OUT".

The maximum allowed time for data sanitization to be made can be configured through the "CONVERSION TIMEOUT" and "TRY COUNT" options, where first one means that data sanitization should finish within the configured time frame, otherwise abort the conversion and latter means the number of times product should retry in case of a failed conversion.

When "DISTINGUISH PARTIAL ARCHIVE SANITIZATION RESULT" checked, MetaDefender Core will return "Partial Sanitization" processing result for Deep CDR when only some of child files in original archive files are sanitized successfully.

Beware, however, that possible data loss or change may occur during conversion, thus this feature is disabled by default.

Result of sanitization can be either downloaded on the scan page or retrieved the data ID via REST. See 8.1.3.2. Fetch processing result. Note that /hash API does not provide such information.

Length of time the system stores sanitized files can be set in Settings > Data retention.

images/download/attachments/39346541/image2019-7-3_17-41-48.png

Deep CDR

Block files if sanitization fails

By default, MetaDefender allows files, where sanitization fails.

For example: even if sanitization of an underlying element in a .zip file fails (sanitization is enabled for .png files in the examples below), the overall result (and the result of the .png file as well) is allowed by default:

images/download/attachments/39346541/image2019-2-11_14-21-8.png

Once "BLOCK FILES IF SANITIZATION FAILS OR TIMES OUT" is enabled, the overall and the individual result are blocked in case of a sanitization failure:

images/download/attachments/39346541/image2019-2-11_14-25-47.png

The sanitization failure of the zipped file is propagated to the .zip file level:

Proactive Data Loss Prevention (Proactive DLP)

For all information about features powered by Proactive DLP, please learn more at Proactive DLP

Proactive DLP

Proactive DLP configuration options

On the Technologies page, clicking on the line of the Proactive DLP engine then on the Settings text on the top right corner of the popup window, the configuration options for the Proactive DLP engine appear.

Proactive DLP engine configuration

Options:

  • "Parse binary files": Choosing this option, sensitive data will be searched for in files that cannot be converted to text.

  • "Mask numbers in CCN/SSN hits": On the result page, the found CCN/SSN numbers will be masked with "X"s.

  • "Mask regex matches": On the result page, texts matching regex will be masked with "X"s.

  • "Mask context": Mask sensitive information in context

Advanced

By enabling 'Quarantine blocked files' all of the files which are blocked are automatically copied to the quarantine. For detailed description of the quarantine please see the Quarantine page.

By enabling 'Fallback filetype detection to current extension if needed' (default enabled), file type detection can use the extension of the currently processed file as a helping hand. For example this could be useful, when analyzing CSV files.

By enabling 'OVERRIDE SCAN RESULTS CLASSIFIED AS ALLOWED' it is possible to overwrite the default behaviour of MetaDefender and determine which scan verdicts should result as allowed.

Scan results checked are marked as allowed.

By default only 'No Threat Detected' and 'Skipped Clean' verdicts result in allowed status.

images/download/attachments/39346541/image2019-7-3_17-58-20.png

Advanced