[MDS] Management - Policy Settings (Detection Settings)
1. Summary
Configures the detection settings to detect various security threats.
2. Menu tree
3. Contents
1) Configure Collection Path
To set the service protocol and BCC to monitor packets by mirroring:
- Select a protocol to monitor - HTTP, FTP, NNTP, SMB, SMTP, POP3 or IMAP. To select all, select Mirroring.
- To detect malicious email content or attachment, select Email BCC. If enabled, MDS server will receive all emails as a BCC recipient to check whether the email is malicious or not. If disabled, packets from SMTP will be monitored to detect malicious email by mirroring.
2) Detection Log Settings
MDS records the scan results of files collected from mirrored traffic on a log file. To monitor the logs:
Compressed files or mail are determined to be malicious based on detection log settings. Set it carefully because it may not be considered malicious, depending on your settings.
3) Configure Scan Condition
To set the scan conditions:
- Enter the maximum file size to scan in 1 to 300 MB.
- To scan compressed files, select Scan compressed files.
- Enter the maximum number of compression 1 to 5. Malicious code scanning will be executed only for files compressed to a specified number of times or less.
- To detect potentially unwanted programs(PUP) as malicious, select Detect as malicious.
- To detect malicious program classified as potentially harmful by MDS such as a keylogger or remote access tool, select Detect as malicious.
4) Dynamic Analysis
To set the virtual machine’s operating system for dynamic analysis:
- Select an operating system: Windows XP, Windows 7 (32/64-bit) or Windows 10 (64-bit). To select all, select Select All.
- To add a known malware, select Known malicious codes. Files with known malware will be run and analyzed on the VM.
- To allow download of likely normal files, and record the analysis result and create a report, select Create likely normal behavior analysis report. Select Executable files or Document File. If not selected, the information will not be displayed on the web interface.