File Content Heuristic Engine
Ransomware is a type of malware that an attacker uses to infiltrate your system and make your files inaccessible, usually by encrypting them. The attacker then demands that you pay a ransom to decrypt your files.
A heuristic engine can help prevent ransomware from entering your system by scanning files for characteristics that are often present in malicious files. FileCloud includes a heuristic engine that looks for files that identify their content inaccurately, a method sometimes used to trick users into opening files containing ransomware. For example, FileCloud's heuristic engine can detect if a file identifies itself as a basic text or image file, but includes code that is not normally present in these types of files.
The FileCloud heuristic engine is available to you, but to use it, you must add it to a workflow in your system by choosing a Verify file integrity action. When a file fails the integrity check, the workflow can either delete the file or send a notification.
To create a workflow that uses the heuristic engine to validate uploaded files:
- In the admin portal, in the navigation panel, click Workflows.
- In the Manage Workflows screen, click Add Workflow.
The Create New Workflow dialog box opens.
- To perform the check on every file that is uploaded for the first time, in the IF Condition drop-down list, choose If a file is created.
Note: To also apply the condition to files that are re-uploaded, add a verify file integrity action with the condition If a file is updated.
- Click Next.
The next window prompts you to enter parameters for the workflow.
- Since you want to scan all uploaded files, set parent_folder_path_string to /, which indicates all files. The other parameters are optional, and you can exclude them.
- Click Next.
You are prompted to choose an action.
- Choose one of the Verify file integrity actions depending on what you want the system to do when a mismatch is detected. The possible actions are:
Verify file integrity and generate admin alert on mismatch: Detects the mismatch and adds an entry to the Alerts screen of the admin portal. However, the file is uploaded into FileCloud, and if it is determined that it should be deleted, this must be done as a separate action.
Verify file integrity and delete on mismatch: Detects the mismatch, adds an entry to the Alerts screen of the admin portal, and deletes the file from FileCloud. An audit entry is added in the admin portal to indicate that the file has been deleted by the workflow.
In both cases, a pop-up in the user interface notifies the user that the content and file type extension do not match, either:
In both cases, alerts also appear in the Manage Alerts screen of the admin portal.
- After you choose one of the actions, click Next.
- Add the ignore_file_size_in_mb parameter. The purpose of this parameter is to prevent the system from slowing down by scanning the content of large files.
In the following example, the parameter is set to 10.
- Click Next.
- Enter a name for the workflow.
- Click Finish.
The workflow appears in the list on the Manage Workflows screen.
Since the workflow is enabled, now each time a file is uploaded for the first time into FileCloud, its content and file extension are checked for a mismatch.