Content Scanning
- Last Updated: April 8, 2022
- 23 minute read
MOVEit Transfer content scanning enables you to apply content screening at scale using a third-party virus scanner, a third-party DLP (Data Loss Prevention) pattern and expression engine, or both. Content scanning can be used as an extra layer of control to help inspect, analyze, track, and block inbound or outbound file transfer.
You can control data shared from/added to MOVEit Transfer based on user/user group and:
- Anti-virus (AV) engine scan results.
- DLP indicators in the form of text patterns (such as business impact or information security classification markings), signatures (such as full MD5 sum), and any other rules you combine to categorize the data and designate relevance to certain users or user groups.
- Maximum data size (for performance and when 'downstream' applications handle files larger than this threshold).
Content scanning is typically most necessary when MOVEit Transfer data transfers occur across a firewall. Before MOVEit Transfer completes the data transaction, it forwards the data by way of Internet Content Adaptation Protocol (ICAP) to the appropriate scanner (AV or DLP). MOVEit allows or blocks the transfer based on the scan results.
Transfer Direction |
Scan Type |
Notes |
|---|---|---|
Outbound (share from MOVEit Transfer and Ad Hoc transfers) |
Data loss prevention |
DLP compliance. Logs or blocks sharing of DLP-rules identified content (for example, privileged or business sensitive data). |
Inbound (add to MOVEit Transfer) |
Anti-virus, data loss prevention |
Protective AV scan. DLP rules evaluation, tagging and determination of MOVEit Transfer user access based on rule sets. |
Third-party AV and/or DLP instances are managed and deployed separately from MOVEit Transfer. Note that different scanning servers might have different capabilities and performance capacity. A server can be configured to do AV, DLP or both. You can configure MOVEit to communicate with multiple different AV and DLP servers. You enable scanning at the system level, but you can have only one AV and one DLP server enabled at a time. You can then disable a specific AV or DLP process at the organization level.
このセクションには、ウイルス対策専用ホストを使用して、ICAP 接続を介して行われるデータのアップロードまたはダウンロードのスクリーニングに使用するウイルス対策スキャンエンジンの一覧が表示されます。次の主要なウイルス対策 (AV) エンジンと情報漏えい対策 (DLP) エンジンは、MOVEit Transfer と互換性があります。
次の主要なウイルス対策 (AV) エンジンと情報漏えい対策 (DLP) エンジンは、MOVEit Transfer と互換性があることが確認されています。
AV エンジン (一部は AV/DLP)
ウイルス対策スキャナー |
確認済み最新バージョン |
|---|---|
McAfee VirusScan Enterprise |
確認済み最新バージョン 8.8.0.2300 |
McAfee VirusScan Enterprise for Storage (VSES) |
確認済み最新バージョン 1.3 |
McAfee Endpoint Security |
確認済み最新バージョン 10.7.0.1675 |
McAfee Web Gateway |
確認済み最新バージョン 9.29 (36018) |
Sophos Anti-Virus Dynamic Interface (SAVDI) スキャナー |
確認済み最新バージョン:2.6 |
Sophos for Network Storage |
確認済み最新バージョン:10.8.10.810 |
Symantec Protection Engine |
確認済み最新バージョン 7.8.0.141 |
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) * |
確認済み最新:
|
DLP エンジン
情報漏えい対策スキャナー |
確認済み最新バージョン |
|---|---|
確認済み最新バージョン 9.29 (36018) |
|
確認済み最新バージョン 15.x* |
DLP エンジン
Anti-Virus
Anti-virus scan (SETTINGS > System > Content Scanning > Anti-Virus) allows scanning of incoming files using a remote anti-virus server. MOVEit Transfer submits incoming files to the anti-virus server using the ICAP protocol. Files that are clean are then passed into the MOVEit Transfer filesystem.
What happens when AV content scanning is enabled?
MOVEit Transfer scans uploaded files as follows:
- Files are scanned during the upload and are not entered into the MOVEit Transfer filesystem until the content scanner returns an indication that the file is not infected.
- If the file does have a virus, it is rejected, and the user receives an error message.
- If the ICAP server connection fails or the connection limit is exceeded, or if for some reason the file cannot be checked, the upload is rejected and the user receives an error message.
- If a maximum file size is configured, files are scanned up to that configured size. You can also elect for no maximum.
Before You Begin
You need the following before you can enable virus scan:
- A third-party virus scan engine running and on a host accessible to MOVEit Transfer by way of ICAP.
- Scan engines must support ICAP protocol (RFC3507 for more information), which is required to interface with MOVEit Transfer. (Typical "Desktop" virus scanners from the same vendors will not support the scale needed by MOVEit Transfer.)
Configuring Anti-Virus Scanning for MOVEit Transfer Hosts
After you configure the anti-virus server, set up content scanning for your MOVEit Transfer organizations. Anti-virus settings apply to all MOVEit Transfer organizations on the system.
Data Loss Prevention (DLP)
Data Loss Prevention scans (SETTINGS > System > Content Scanning > DLP) send incoming data from file transfers and Ad Hoc transfers, including subject, note/body and attachments, to an external DLP server so that MOVEit Transfer can:
- Use the DLP rule set to identify sensitive or valued content and the associated level of user/user role access. (For inbound packages.)
- Determine whether a package can be shared (based on the current user role and DLP policy requirements. (For outbound packages.)
MOVEit Transfer uses the ICAP protocol to submit incoming data to the DLP server. The DLP server applies configured data protection policies as it scans the data. When the DLP server returns its response, MOVEit configurations determine whether to block, quarantine or allow the transmission. MOVEit logs all DLP policy violations returned by the DLP server.
Configuring DLP Scanning for MOVEit Transfer Hosts
To implement Data Loss Prevention (DLP) scanning in MOVEit Transfer you must:
- Install and configure the external and (typically) remote DLP server.
- Configure DLP servers for a MOVEit system. You can enable only one DLP server at a time.
- Configure DLP rulesets for user classes or users for each MOVEit organization.
What happens when DLP content scanning is enabled?
MOVEit Transfer scans downloaded files as follows:
- Files are scanned based on a configured maximum size. See Content Scanning, for more information.
- Files are scanned during the upload and are not entered into the MOVEit Transfer filesystem until the content scanner returns an indication that the file is not blocked for the user that is uploading the file.
- If the file violates a DLP policy, it will be processed according to the MOVEit policy and rulesets, and the user attempting to upload will receive an error message. Note that if a virus is found during a concurrent anti-virus scan, the file is automatically blocked from upload.
- If the ICAP server connection fails or the connection limit is exceeded, or if for some reason the file cannot be scanned, the upload will be rejected and the user will receive an error message.
- There is no support for re-scanning files, or scanning on downloads. The ability to download files is based on the results of the scan when the file was uploaded and rights for the user attempting the download. Quarantined files may be cleared for download under special circumstances.
Scanner Availability
If Content Scanning is enabled, MOVEit Transfer checks every few minutes to make sure the enabled AV and/or DLP scanner is available. This is part of the SysCheck routine (see Advanced Topics - System Internals - Scheduled Tasks), which can generate a built-in notification. It first checks the AV scanner and then the DLP scanner. If the either scanner is unavailable, SysCheck sends an email message to the Send Errors To email address and warns that the MOVEit Transfer server will not be able to transfer files until this situation is addressed. When the scanner becomes available again, SysCheck sends an email that states that scanning is now working.
Logging
If a file was scanned, file detail pages show the anti-virus (AV) or the data loss prevention (DLP) server information.
In the following example, the first line of Content Scanning information is for the AV server and the second line is for the DLP server.
If a file fails the scan, an error message appears on the Home page of the user who uploaded the file.
Log file entries include status, user, and file attributes as well as policy violations (if applicable).
エラーコード番号 (6100 ~ 6103) は、AV エラーの報告に使用されます。これは、ログをフィルターする際に便利です。コンテンツスキャンが原因でアップロードに失敗した場合、対応するログテーブルレコードに AV サーバー名とウイルス名 (可能な場合) が含まれます。
エラーコード番号 0 と 6150 は、DLP ポリシー違反の報告に以下のように使用されます。
- エラー番号 0 は、許可または検疫された違反を示します。
- エラー番号 6150 は、ブロックされた違反を示します。
Notifications
Notification macros for content scanning, if enabled, can report the scan results for both anti-virus (AV) and data loss prevention (DLP) scans.
AV and/or DLP information may be included in the following notifications:
- New File Upload Notification
- File Upload Confirmation
- New Package
- New Package Secure Attach
- New Temp User Package (with password)
- New Temp User Package (with password) Secure Attach
- New Temp User Package (with password link)
- New Temp User Package (with password link) Secure Attach
- New Guest Package
- New Guest Package Secure Attach
- File Non-Delivery Receipt
- File Upload List Notification
- File Upload List Confirmation
- File Not Downloaded List
- File Delivery Receipt
- Package Delivery Receipt
- Package Download Receipt
- Package Deleted By User
- Package User Was Deleted
The standard templates for these notifications do not include the content scanning results. You can add the macros that report the scan results by creating custom notification templates. Custom notifications are set in an organization via Settings | Appearance | Notification | Custom.
Reports
これらのレポートには、さまざまな種類のコンテンツスキャンアクティビティが記載されます。2 つのレポートにブロックされた違反と DLP 違反 (許可およびブロック) のスキャン結果に関する特定の情報が記載されます。残りのレポートは保守用レポートで、累計数が示されます。
組織の管理者としてログインしている場合、レポートには組織のスキャン結果が表示されます。システム管理者としてログインしている場合は、レポートに複数の組織が表示される場合があります。