Patient Zero policy Realtime Policy has anyone actually done this?

  • 17 October 2023
  • 1 reply

Userlevel 3
Badge +11

Netskope Advance Threat Protection does have a sandbox/research feature to investigate files that are downloaded with a sandbox examination, amongst other things.  Having an alert later on that a file is malicious gives a reason for follow-up on that person/computer.


They also have a policy suggestion, where novel files are not downloadable until after they pass a sandbox exception.  The devil is in the details "The Netskope advanced threat engines can take up to 10 minutes to analyze the file."  Also, in practice, if you the download just fails for 10 minutes of clicking on it, no pop-up warning you that it is in review.


So I am dying to know - has anyone actually done this policy?


I am also fascinated by the policy example, where the policy is applied to downloads of Adult Content and Adult Content - Porn.  The net effect would be "As a company it is OK to go to a porn site and download from it, but you have to wait 10 minutes while we check out the download"


Wouldn't it be better to put the file aside and send the person an email with a link from Netskope? and download it from Netskope?



1 reply

Userlevel 6
Badge +16

Hello @wilson,


The patient 0 feature has two components that you reference.  The first is flagging the file if it's the first time it's been sandboxed and flagged as malicious.  In this case, the file is allowed to be downloaded and flagged after sandboxing is complete.   The second, optional component is the ability to hold the file until sandboxing is complete.    

The purpose of the second policy is to be a targeted protection for higher risk files and should be used in conjunction with other policies to provide layered defense.  In the screenshot provided the policy is scoped to file types across all categories (including Adult Content).  Ideally, administrators would have policies that would block the initial browse and access to Adult Content before a file download is ever attempted.  So a potential policy structure could be:

1.   Block all prohibited categories including Adult Content, Security Risk, etc 

2.   Block known malware uploads and downloads across all categories with Patient 0 hold policy

3.  Other activity, DLP, etc controls

This reason for having all categories selected in the malware policy is more of a safety net in case of newly observed sites (depending on your other policies), miscategorization, policy mistakes, etc.  In such a case, users would not be allowed to access adult content sites at all but if they somehow got the download link directly, it would be scanned for malware and then blocked after hitting the block all policy.  Keep in mind, these are suggested policies and you can change the order to essentially block any download first whether it contains malware or not but functionally they operate the same.  

As for the not holding it, Netskope does not store customer files for threat protection, DLP forensics, or any other reason.   In some cases, we may send the file to a third party repository that you own such as for DLP forensics.  

Can you elaborate a bit more on "Also, in practice, if you the download just fails for 10 minutes of clicking on it, no pop-up warning you that it is in review."  Why would the download fail?  I apologize if I'm misunderstanding the question here.