Payload analysis

After you enable inline payload analysis in a policy, you can select how ETP proxy scans these type of files:
  • Small. Files that are less than 5 MB in size.
  • Large. Files that are 5 MB to 2 GB in size.
  • Huge. Files that are more than 2 GB in size.

In a policy, you select the action that’s associated with large and huge file types. By default, with inline payload analysis, small files (files that are less than 5 MB) are always scanned inline or before the file is downloaded.

File Type Action Description
Small Inline Scanning Scans files or website content before end users see downloaded content. In ETP, this action is available for small files (files that do not exceed 5 MB). For more information, see Inline payload analysis.
Large Block - Error Page Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page to indicate that the operation is not allowed.
Allow and Scan Scans large files up to 2 GB with static malware analysis. This action:
  1. Allows the end user to download the file.
  2. The file is then scanned within a four hour time period. If the file is malicious, a threat event is reported, and a deep scan report is available to download in the event details. For more information, see Deep scan report of large files with static malware analysis.

By default, this action is enabled for large files. For more information, see Static malware analysis of large files.

You can also enable dynamic analysis to scan files that are up to 64 MB in size within a sandbox environment, see Dynamic malware analysis

To scan large files, your organization must be licensed for Advanced Sandbox.

Allow Allows the end user to download the file. No file scanning occurs.
Huge Block - Error Page Blocks the end user from downloading the file. When a download is attempted, the end user is presented with a custom error page.

By default, this action is enabled for huge files.

Note: Some web servers use HTTP streaming without providing file size when the download begins. In this case, ETP starts the download process, but it cancels and blocks the download of a huge file in the middle of the process based on this policy action. No error page is shown in this situation.
Allow Allows end users to download the file. No file scanning occurs.