Hello Munster, 

This will give you information about the TP scanning policy: 

https://docs.netskope.com/en/netskope-help/data-security/threat-protection/creating-a-threat-protection-policy-for-real-time-protection/

All files are scanned according to the policy you configured. If any files are convicted you will see them under Incidents > Threat Protection. 

HTH

HI Frosa

Thank

Actually, I was referring to this “default malware scan”

Does the logging also log file that was scanned as clean?

Thank

No, it doesn’t. just convictions are logged as alerts. 

Hi Frosa

Regarding the “Default Malware Scan”, can we know what is the setting so that we can customize for each profile?

For the logging only malicious file, how can I do forensics investigation if there is no logging of clean file?  

Thank

Munster, 

Netskope only offers our own Threat intelligence for AV scanning so that is the only option available. There is no customization available besides bypassing scanning based on hashes and filetypes. 

About logging clean verdicts, we don’t do it but in case you get a FP using your EDR solution for example, you can always submit a False-positive through support and we will investigate it for you. 

Please let me know if you have any additional questions 

Fabio 

Hi Frosa

Thank for the info

If a file detected as malware, we will like to know if it came from email, online collobration, web, usb, etc. Not logging clean verdict, then the IR will not be complete.  

How about FN?  We will not report the malware if SkopeIT didnt have a record that transited thru Netskope

thank