Riskware Detection Custom Policy Rules
Riskware detection custom policy rules help you to identify objects by suspicious file types and mark them as riskware. The Malware Analysis appliance receives a list of updated riskware policy rules when the system checks for new security content from the DTI Cloud. Both the rule ID and rule name are unique. Analysis is performed against all matched rules. When you enable at least one matched policy rule on the Malware Analysis appliance, the appliance generates a riskware alert on a nonmalicious submission. No further analysis is performed. The submission status for a riskware alert of a policy rule is marked as Custom Riskware in the output of the show submission id command.
The following table describes some of the riskware detection custom policy rules that triggered a riskware alert.
| Riskware Policy Rule | Description |
|---|---|
| Low Confidence Custom Yara Rule Weights 0-50 | Custom YARA rules in which the weight can range from 0 to 50. |
| High Confidence Custom Yara Rule Weights 51-100 | Custom YARA rules in which the weight can range from 51 to 100. |
| Non Executable file Connecting to Non-Standard High Port | Nonexecutable files that connect to ports above 1024. |
| MS Office Document With Macro Activity Dropping a exe file | Microsoft Office files with macro activity drop malicious EXE files. |
|
Riskware detection custom policy rule configuration is disabled by default. |