Custom Whitelists, Blacklists, and Passwords

The Malware Analysis appliance supports three custom analysis lists—whitelist, blacklist, and password. The lists allow you to control the types of rules to perform and their contents. A whitelist is equivalent to an allowed list. A blacklist is equivalent to a blocked list. A password blacklist is equivalent to a common password-guessing list that is tried in a dictionary attack.

Whitelist

A whitelist allows you to control which files or objects that contain an attachment can be bypassed based on the matched known rule entries. No further analysis is performed. The Malware Analysis appliance will not analyze an attachment within a file or object for malicious content if it contains the signature ID, SHA-256 hash file, or URL that you defined and added to the appliance database. Whitelisting allows you to eliminate false positives and to suppress rules based on your defined rules.

Blacklist

A blacklist allows you to control which files or objects that contain an attachment must be considered as malicious based on the matched known rule entries. The Malware Analysis appliance immediately marks the attachment within a file or object if it includes the SHA-256 hash file or URL that you defined and added to the appliance database. No further analysis is performed.

Password Blacklist

A password blacklist allows you to control which passwords are prohibited based on the matched password entries that you defined and added to the appliance database. A password blacklist contains a list of common passwords that are not allowed because they are frequently used or easily guessed.

Task List for Managing Custom Whitelists, Blacklists, and Passwords

Complete the steps for managing custom whitelists, blacklists, and passwords in the following order:

  1. Log in to the CLI to configure the custom analysis actions.
  2. Add rules to a custom whitelist. See Adding or Deleting a Custom Whitelist Rule Using the CLI.
  3. Add rules to a custom blacklist. See Adding or Deleting a Custom Blacklist Rule Using the CLI.
  4. Add passwords to a custom password blacklist. See Adding or Deleting a Custom Password Using the CLI.
  5. View the specified URLs that you added to the custom whitelist. Use the show analysis custom whitelist urls command. View the specified signature ID and SHA-256 hash file that you added to the custom whitelist. Use the show analysis custom whitelist command.

    6. View the specified SHA-256 hash file and the associated SHA-256 signature that you added to the custom blacklist. Use the show analysis custom blacklist command. View the specified URLs that you added to the custom blacklist. Use the show analysis custom blacklist urls command.

    View the status of the custom password configuration. Use the show analysis custom password command.