Skip to main content

AD_4nXf4LImTq-Do85Rrj8wafrqwGOx-82HFY9XI3vnwZwZzrGKhMFkQhTwxydKy-L11ksDnAAbP0m5j5I9KZeYoOnQFVSUYmsQ_FC92DIt-OEdPlVhW_ovf_26Usuyn1gzmUB4VHeea_a-6vDyPaN2s0qPCMYBv?key=fqn3A7J-XUZdMSmVHrkzVg

Netskope Global Technical Success (GTS)

How to create a custom threat protection profile

 

Netskope Cloud Version - 122

 

Objective

The purpose of this article is to explain how to create a custom threat protection profile to allow or block specific files.

 

Prerequisite

Netskope CASB/SWG license is required.

Netskope Standard Threat Protection license is required.

 

Context

When customers create a Malware policy they would normally leverage our default threat protection profile while not noticing that you can create a custom malware profile where you can enhance the detection list and bypass any false positives without the need to create any additional policies.

 

Configuration

For this example, we are going to create two file profiles based on MD5 (or SHA256), then proceed to create a custom threat protection profile.

  • Create a new file profile:

Go to Policies >>> File, click on “New File Profile”, select “File Hash” then click on “MD5”, proceed to add any MD5 that you wish to bypass from Malware scanning, then click on “Next” then add a name to your file profile.

 

AD_4nXc8UavEQfS3wkkQd1mo3mjuwKhHcRA9X8-yBk7maFJwo22u2GsSkXAlNwcCXohCzB5BhiVwhRHPdvfDtnJWON6O8TWkxu2ERa-zz3reYeEbxaADWH7rWw05FBVMhayctUUxMhHfucRS_V_HWZzPUh6VOOM?key=fqn3A7J-XUZdMSmVHrkzVg


 

Repeat the same process for a blocklist profile based on MD5:

AD_4nXeySwkOH-oAlpwJxGlrPu7WRXQCvHpJ_IvR094jTc3E_0pSSOAGDuqwKWsoCglaZeKucUSuXfGCWuNmRGFPXRlEqYB9RmIndqfQUNyedmUuedZsKvuUwGGWfTFKdiEu9InoCqPnURadIP6w3a2WwFQ6jj_a?key=fqn3A7J-XUZdMSmVHrkzVg

 

  • Create a new threat protection profile:

Path: Netskope Tenant UI >>> Policies >>> Threat Protection, then click on “New Malware Detection profile”

AD_4nXcU7EgRZevwpPBdscdR7_KzO9RNXk6cquWP8PgNfDhyEgC-9Sy3GjMtmWo9fBSQdo4FPZm0qhJJHEf364kZDibntSZyjX0TiTGDKc-yNRWlhQoEOPUWnpqQXQGeloF4NHG-fUbOxHVAQXIS8eWlWTRZgJk?key=fqn3A7J-XUZdMSmVHrkzVg

 

Please note that “Default Malware scan” is grayed out, this means that any custom threat protection profile will take our default profile as a base while removing or adding detections depending on the file profiles you select next.

 

For this example within the “ALLOWLIST” section, we will select the file profile we created to bypass detections.

AD_4nXeWCG4hLuUxNLCRJ_Rm8GLElmwosQ-zzuvczmoE4-Saf6Wv9VxtuVntj17VoOziJS_UlHIKILCi_oX4byHXM1fzVXvfRx4QOfKVJoHer5lpgp_NBp9H7PILxnsXAAsvTO1kfi9HMCmbvw2aFphK_FlKNzu5?key=fqn3A7J-XUZdMSmVHrkzVg

 

Now, within the “BLOCKLIST” section, we will select the file profile we created to block additional files not detected by Netskope default threat protection profile.

AD_4nXfYjh-SBEQbew6lYbd_8RWTTtZsFqhR0kYhnhBXUm0axDuHygDECCqPaGcVWE0Rc_hvITolQAZVg25I0-9O5yayLLqjzCrwHjX98UK5yywYhh4zK6H5rWXYoXfnNBi42m8JZiaW198wKMiI_JyHZF4AwCD-?key=fqn3A7J-XUZdMSmVHrkzVg

 

Once you have selected the allowlist, and blocklist, add a name to your new threat protection profile, then click on “save malware detection profile”

AD_4nXfSMdkmCgnv280F5I-d6Ya8QteUW72sNJ0olbIqXLEhcCjeaBc6qkA_GiizRXo86PtFJpeUOc5XO7VGmEmwPkgJj05jNRNelEIvRGK03dJsh8GiQJqbJPrvGyGB4WbMFc1OmnavNbBo1wQRDa5n2z7YNP74?key=fqn3A7J-XUZdMSmVHrkzVg

 

  • Replace the threat protection profile on your malware policy:

Go to Policies >>> Real-Time Protection, then open your production malware policy.
Once opened, edit the threat protection profile to use the custom profile.

 

AD_4nXc7nce-nOqJiUqq-tC2zN9MFINtD4jobW47OfH_GtdLuE31xLFL_fPQ6XqMl6UABg_bKctKSHuCgGRE0bbPBOPd2kOPLb4tMC9o31ooINKXUt5sZisfZ7XGWpEyrYsJ3UaZDscM8lOeDOTQwoUENg0Lnbqw?key=fqn3A7J-XUZdMSmVHrkzVg


 

💡File Profiles can be updated through Netskope Rest APIv1 (see here).

Also by using Netskope Cloud Exchange along with its Threat Exchange module we can bring IoC from 3rd party vendors directly into file profiles (see here).

 

Conclusion

With a custom threat protection profile we are able to define specific files into allowlist or blocklist.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.