Netskope Global Technical Success (GTS)
How to create a custom threat protection profile
Netskope Cloud Version - 122
Objective
The purpose of this article is to explain how to create a custom threat protection profile to allow or block specific files.
Prerequisite
Netskope CASB/SWG license is required.
Netskope Standard Threat Protection license is required.
Context
When customers create a Malware policy they would normally leverage our default threat protection profile while not noticing that you can create a custom malware profile where you can enhance the detection list and bypass any false positives without the need to create any additional policies.
Configuration
For this example, we are going to create two file profiles based on MD5 (or SHA256), then proceed to create a custom threat protection profile.
- Create a new file profile:
Go to Policies >>> File, click on “New File Profile”, select “File Hash” then click on “MD5”, proceed to add any MD5 that you wish to bypass from Malware scanning, then click on “Next” then add a name to your file profile.
Repeat the same process for a blocklist profile based on MD5:
- Create a new threat protection profile:
Path: Netskope Tenant UI >>> Policies >>> Threat Protection, then click on “New Malware Detection profile”
Please note that “Default Malware scan” is grayed out, this means that any custom threat protection profile will take our default profile as a base while removing or adding detections depending on the file profiles you select next.
For this example within the “ALLOWLIST” section, we will select the file profile we created to bypass detections.
Now, within the “BLOCKLIST” section, we will select the file profile we created to block additional files not detected by Netskope default threat protection profile.
Once you have selected the allowlist, and blocklist, add a name to your new threat protection profile, then click on “save malware detection profile”
-
Replace the threat protection profile on your malware policy:
Go to Policies >>> Real-Time Protection, then open your production malware policy.
Once opened, edit the threat protection profile to use the custom profile.
💡File Profiles can be updated through Netskope Rest APIv1 (see here). Also by using Netskope Cloud Exchange along with its Threat Exchange module we can bring IoC from 3rd party vendors directly into file profiles (see here). |
Conclusion
With a custom threat protection profile we are able to define specific files into allowlist or blocklist.
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.