Retroactive Detection

Retroactive detection allows you to identify malicious objects that were previously missed. With retroactive detection, the Malware Analysis appliance compares past submissions with updated security content. If new malicious objects or riskware is detected, the appliance generates an alert.

This feature uses SHA-256 hashes for attachments and URLs to detect objects.

The appliance receives a list of SHA-256 hashes from the DTI network through security content updates. The hashes are compared against a list of submissions from the database that were previously determined to be nonmalicious. By default, the retroactive hunt time period is unlimited. If the hash is detected as malicious, the Malware Analysis appliance generates a retroactive alert.

When the Malware Analysis appliance detects an SHA-256 match after a security content update from the DTI Cloud, a previously undetected malicious blacklist attachment will be retroactively marked as malicious and the appliance will send an alert.

When Advanced URL Defense is enabled on the appliance, the Malware Analysis appliance can alert on previously undetected URLs. The Malware Analysis appliance sends the suspicious URLs to the FireEye Advanced URL Detection Engine (FAUDE) for analysis. When the Malware Analysis appliance is deployed in block mode and enabled to rewrite URLs within an email message, URLs are rewritten and the email will be delivered to the recipient. If a verdict is returned later from FAUDE that the URL is malicious, the Malware Analysis appliance generates a retroactive alert.

When riskware detection is enabled on the appliance, retroactive riskware detection is enabled by default. Types of riskware include Potentially Unwanted Programs (PUPs), Potentially Unwanted Applications (PUAs) adware, and hacker tools. You must enable at least one matched policy rule on the Malware Analysis appliance. If an earlier submission is now identified as riskware, you can choose to have the appliance either generate a riskware alert on a submission or block an email from being delivered to the intended recipient. For details about Riskware, see Riskware. For details about how to enable or disable riskware detection custom policy rules, see Enabling or Disabling Riskware Detection Custom Policy Rules . For details about how to enable or disable blocking emails based on riskware detection, see Enabling or Disabling Riskware Detection.

Task List for Managing Retroactive Detection

Complete the steps for managing retroactive detection in the following order:

  1. Log in to the CLI.
  2. Validate DTI access on the Malware Analysis appliance by using the show fenet status command. For details about how to validate DTI access, refer to the Malware Analysis System Administration Guide.
  3. Enable Advanced URL Defense.
  4. When the Malware Analysis appliance is deployed in block mode, enable rewriting URLs within a message.
  5. Track the total number of malware object alerts that are related to retroactive detection by using the What's Happening panel of the Malware Analysis Dashboard.