Best Practices for APT Blocker
- Enable APT Blocker on proxy policies for HTTP, FTP, and SMTP traffic.
- Even low-level malware detected by APT is a threat to your network, so make sure to use the Drop action for all threat levels in the global APT Blocker configuration.
- For best results, make sure your Firebox device is configured to use an NTP server to ensure the time on your device matches the Lastline cloud servers.
For more information on how to configure APT Blocker, see Configure APT Blocker
Enable Logging for Reports
To make sure APT Blocker activity is logged for reports:
All reports for APT Blocker are available in WatchGuard Dimension.
APT Blocker activity appears in these Dimension utilities and reports:
- Security Dashboard
- Executive Summary Report
- APT Blocker Summary and Detail Reports
- PCI Compliance Report
For more detailed information on Dimension reports and their contents, see About Dimension Reports
Enable APT Blocker Notifications
When an APT malware threat is detected, it is very important that you are notified of the event. To configure APT Blocker notifications:
Processing Order and Actions
Incoming files are processed by security services in this order:
Gateway AntiVirus > APT Blocker > Data Loss Prevention
APT Blocker checks only occur when the file is allowed by Gateway AntiVirus scanning. Data Loss Prevention actions are only applied if Gateway AV or APT Blocker allowed the file.
The maximum size of files that APT Blocker sends to Lastline for analysis is based on the Gateway AntiVirus scan limit. Lastline accepts files of up to 10 MB in size for analysis. If you set the Gateway AntiVirus scan limit higher than 10 MB, APT Blocker does not send files larger than 10 MB to Lastline and instead generates the log message "file size exceeds the submission size limit".
Troubleshoot APT Blocker File Submission
When first examined, an MD5 hash check of the file occurs. If there is no match to any previously analyzed files, the file must be submitted to the Lastline data center for analysis.
When the file is submitted successfully, it is assigned a task uuid as a reference and included in the log message:
Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80 msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe" md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00)
When the file is submitted to the Lastline data center and the file is identified as a threat, this event log is generated to inform you that the APT Blocker notification has been sent.
APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port: 43130 Destination IP: 126.96.36.199 Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.com Path: /docs/lastline-demo-sample.exe'
This type of log message appears when APT Blocker detects a threat. The log message specifies the threat level, threat name, threat class, malicious activities, destination hostname, and URI path.
Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80 msg="ProxyDrop: HTTP APT Detected" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/apt_sample.exe" md5="2e77cadb722944a3979571b444ed5183"