Static malware analysis of large files

While inline payload analysis allows ETP Proxy to scan files or website content that’s up to 5 MB in size, ETP Proxy cannot scan files that exceed 5 MB inline or before it's downloaded to the user’s browser. In ETP, you define how larger files are handled. You can allow or block the download of these larger files. If these files range from 5 MB to 2 GB in size, you can configure ETP Proxy to scan these files out of band or after they are downloaded to the browser.

Static malware analysis of large files scans files offline or after they are downloaded by the end user. Static malware analysis scans the code without running or executing it. This feature is enabled when you select the Allow and Scan action for large files. These files are scanned with the same static analysis engines as small files. If you want to analyze content when it’s executed in a secure, sandbox environment with dynamic scanners, see Dynamic malware analysis.

Files are scanned within a four hour period after download. If ETP Proxy detects malware, a threat event is reported in ETP. As part of the reported threat event, you can also download a deep scan report that includes more detailed information about the threat and what the scan detected.

Because the scan occurs after the file is downloaded, the malicious file is not blocked. As a result, you may need to run an anti-virus scan on the machine where the file was downloaded or configure your organization’s security information and event management (SIEM) solution to scan the machine for malware. For more information on the deep scan report, see Deep scan report of large files with static malware analysis. To view events with deep scan reports, see View events with deep scan report results
Note: To enable or use this feature, your organization must be licensed for Advanced Sandbox.