Inline payload analysis

Organizations that are licensed for ETP Advanced Threat can enable inline payload analysis to scan content on websites. For example, this feature allows ETP to scan a file like a PDF or an image.

If the proxy is enabled, you can enable inline payload analysis in a policy.

When inline payload analysis is enabled, malware scanning is performed on responses from the origin server. The HTTP and HTTPS payload from risky domains or files in a file sharing application are scanned. This feature allows the proxy to scan files that are up to 5 MB in size.

The following applies:
  • Inline payload analysis is applied to traffic sent through ETP Proxy.
  • With the selective proxy, only risky domains are sent to the proxy. With the full web proxy, all traffic is sent to the proxy.

When you enable inline payload analysis in a policy, you can also define how ETP handles files that exceed 5 MB. You can configure ETP to scan large files that are 5 MB to 2 GB in size after they are downloaded. For more information, see Static malware analysis of large files. If you further enable dynamic analysis, you can scan files that are up to 64 MB in an isolated sandbox environment where files are opened, executed, and observed for harmful activity. For more information, see Dynamic malware analysis.

If the payload analysis detects a threat, the response is blocked or monitored based on the action that's assigned to the malware threat category.

When you enable inline payload analysis, ETP also analyzes websites for zero-day phishing threats. With this feature, ETP can detect webpages that were created with phishing toolkits. For more information, see Zero-day phishing detection.

You can also use inline payload analysis for data loss prevention (DLP). With DLP, you can scan data that's uploaded by users and is up to 5 MB in size. DLP scans this data for sensitive information. DLP is currently in beta. For more information, see Data loss prevention.