From ceb5ccc486eda271570c3af89e8ab2689c49e587 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 23 Oct 2024 16:52:57 -0500 Subject: [PATCH 1/4] Add additional context --- .../policies/gateway/http-policies/file-sandboxing.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx index f299288aa1d6c88..cf166e46e96a026 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx @@ -13,7 +13,7 @@ Only available on Enterprise plans. For more information, contact your account t In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. -While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device. If the file contains malware, Gateway will block the request and log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). +When your users download a file, Gateway will first scan the file with AV scanning. If AV scanning detects malware, Gateway will block the download and log the result. If AV scanning does not detect malware, Gateway will send the file to the sandbox. While in the sandbox, Gateway will monitor the inputs and outputs of the file. While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device. If the file contains malware, Gateway will block the request and log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). ## Get started From 5cce55f0ab5356d7341824fd1cf865ca850e7aea Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Mon, 28 Oct 2024 17:06:56 -0500 Subject: [PATCH 2/4] Add Mermaid chart --- .../gateway/http-policies/file-sandboxing.mdx | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx index cf166e46e96a026..a5b1f0867c8e8ee 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx @@ -15,6 +15,32 @@ In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http- When your users download a file, Gateway will first scan the file with AV scanning. If AV scanning detects malware, Gateway will block the download and log the result. If AV scanning does not detect malware, Gateway will send the file to the sandbox. While in the sandbox, Gateway will monitor the inputs and outputs of the file. While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device. If the file contains malware, Gateway will block the request and log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). +```mermaid +flowchart TD + A(["User starts file download"]) --> B["File sent to AV scanner"] + B --> C["Malicious file detected?"] + C -- Yes --> D["Download blocked"] + C -- No --> G["File sent to sandbox"] + G --> n1["First time file appears?"] + K["Malicious activity detected?"] -- Yes --> N["Download blocked"] + K -- No --> n3["Download allowed"] + n1 -- Yes --> n2["Interstitial page displayed for user during scan"] + n2 --> K + n1 -- No --> K + + B@{ shape: subproc} + C@{ shape: diam} + D@{ shape: terminal} + n1@{ shape: diam} + K@{ shape: diam} + N@{ shape: terminal} + n3@{ shape: terminal} + n2@{ shape: display} + style D stroke:#D50000 + style N stroke:#D50000 + style n3 stroke:#00C853 +``` + ## Get started To begin quarantining downloaded files, turn on file sandboxing: From 00a242e71c0dd744ef3943b136a973c9e4998b8b Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Tue, 29 Oct 2024 15:47:52 -0500 Subject: [PATCH 3/4] Improve text procedure --- .../gateway/http-policies/file-sandboxing.mdx | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx index a5b1f0867c8e8ee..fd014ecf745ce04 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx @@ -13,7 +13,9 @@ Only available on Enterprise plans. For more information, contact your account t In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. -When your users download a file, Gateway will first scan the file with AV scanning. If AV scanning detects malware, Gateway will block the download and log the result. If AV scanning does not detect malware, Gateway will send the file to the sandbox. While in the sandbox, Gateway will monitor the inputs and outputs of the file. While the files are quarantined, Gateway will present a scanning page to your users. If a file passes scanning, Gateway will release the file from quarantine and download it to your user's device. If the file contains malware, Gateway will block the request and log the match as a Block decision in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). +If AV scanning does not detect malware in a file download, Gateway will quarantine the file in the sandbox. If the file has not been downloaded before, Gateway will monitor the inputs and outputs of the file and display an interstitial page for the user. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply the allow/block decision. + +Gateway will log any file sandbox decisions in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs). ```mermaid flowchart TD @@ -21,21 +23,23 @@ flowchart TD B --> C["Malicious file detected?"] C -- Yes --> D["Download blocked"] C -- No --> G["File sent to sandbox"] - G --> n1["First time file appears?"] + G --> n1["First time file downloaded?"] K["Malicious activity detected?"] -- Yes --> N["Download blocked"] K -- No --> n3["Download allowed"] - n1 -- Yes --> n2["Interstitial page displayed for user during scan"] - n2 --> K + n2["Interstitial page displayed for user during scan"] --> n4["File activity monitored"] + n1 -- Yes --> n2 + n4 --> K n1 -- No --> K B@{ shape: subproc} - C@{ shape: diam} + C@{ shape: hex} D@{ shape: terminal} - n1@{ shape: diam} - K@{ shape: diam} + n1@{ shape: hex} + K@{ shape: hex} N@{ shape: terminal} n3@{ shape: terminal} n2@{ shape: display} + n4@{ shape: rect} style D stroke:#D50000 style N stroke:#D50000 style n3 stroke:#00C853 From 1325d252f5e8ae81173dc0a26a51a0506e293cb6 Mon Sep 17 00:00:00 2001 From: Max Phillips Date: Wed, 30 Oct 2024 14:51:34 -0500 Subject: [PATCH 4/4] Add more info about input/output scan --- .../policies/gateway/http-policies/file-sandboxing.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx index fd014ecf745ce04..d5e257970d70f05 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/file-sandboxing.mdx @@ -13,7 +13,7 @@ Only available on Enterprise plans. For more information, contact your account t In addition to [anti-virus (AV) scanning](/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/), Gateway can quarantine previously unseen files downloaded by your users into a sandbox and scan them for malware. -If AV scanning does not detect malware in a file download, Gateway will quarantine the file in the sandbox. If the file has not been downloaded before, Gateway will monitor the inputs and outputs of the file and display an interstitial page for the user. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply the allow/block decision. +If AV scanning does not detect malware in a file download, Gateway will quarantine the file in the sandbox. If the file has not been downloaded before, Gateway will monitor any actions taken by the file and compare them to known malware patterns. During this process, Gateway will display an interstitial page in the user's browser. If the sandbox does not detect malicious activity, Gateway will release the file from quarantine and download it to your user's device. If the sandbox detects malicious activity, Gateway will block the download. For any subsequent downloads of the file, Gateway will remember and apply its allow/block decision. Gateway will log any file sandbox decisions in your [HTTP logs](/cloudflare-one/insights/logs/gateway-logs/#http-logs).