Malware Deep Scan is an additional layer of scanning capabilities available in the Box Shield Threat Detection Malicious Content rule.
This feature leverages a deep learning model that analyzes uploaded and existing files for malicious or suspicious payload, providing superior detection coverage against sophisticated malware that Box's standard scanning may not detect. Coupled with external threat intelligence, Malware Deep Scan enhances protection against known malware and more novel malware possibly uploaded by an internal user or external collaborator.
To get started with Malware Deep Scan, enable the Malicious Content detection rule for your enterprise: Create a Threat Detection rule and select the Malicious Content rule type.
Actions Supported for Malware Deep Scan
A malware scan is triggered when a new file is uploaded to Box and when an existing file in Box is:
- Uploaded
- Downloaded
- Previewed
- Shared
- Copied
- Moved
Reviewing Malware Alerts
To view an alert's details:
- Go to Admin Console > Shield.
- Click the Dashboard tab.
- Filter the alerts for Malicious Content.
- In the alert list table, click an alert.
- Box displays the alert detail page.
The alert detail page displays the following:
- Alert summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, any download restrictions imposed, uploader of the malicious file and upload location.
- File details: information regarding file name, file version, file hash, file size, version uploaded date, file created date and last modified date.
- Threat details: Deep Scan and Reputation Scan results, when they were scanned, and malware family and description.
- Geographic activities: location of the account's activity at the time of the alert.
- Uploader activity: summarizes the account's activities, by activity type, at the time of the alert.
- File activity: insights on the file after it was uploaded.
- [New] Marking file as safe: Marking file as safe: mark low key malicious content as safe.
- [New] Revert to malicious if the file has previously been marked as safe needs to be reverted back to malicious.
- Modifying Files: if the file is marked as safe or reverted to malicious, 2 additional rows are added in file details for commenting and showing last override.
End User implications
- If malicious payload is detected when uploading content, a red banner appears above the preview page to warn the end user of the payload.
- Shield malware deep scan metadata is added to the content flagging it as malicious.
- When download restrictions are active, then end users are blocked from downloading and opening files with a desktop application. See below for modifications:
- If a file is marked safe, file restrictions are removed enabling download and opening file with a desktop application.
- If a file is reverted to malicious, file restrictions are reinstated disabling download and opening file with a desktop application.
File types supported by Malware Deep Scan
Note
While we support relatively large file sizes, we recommend you reaching out to your Box representative for more details on file sizes.
Malware Deep Scan analyzes several different file types automatically that can be riskier than everyday file types, and can optionally analyze Microsoft Office files. This section lists some of the file types that can be deep scanned.
| File Category | File Type |
|---|---|
| Compressed/Archive File Types | .7z, .bz2, .gzip,.jar, .rar, .tar, .tar.bz2, .tar.gz, .tar.z, .xar, .zip |
| Executable File Types | .bundle, .dll, .dylib, .elf (ELF 32 & ELF 64 compiled for Intel 80386 & 80360 and AMD x86-64), .exe, Mach-O 32, Mach-O 64, Mach-O ARM, Mach-O FAT, .o, .ocx, PE 32, PE 64, scr, .so, .sys |
| Document File Types | .doc, .docm, .docx, .hwp, .jdt .mht, .pdf .ppt, .pptm, .pptx, .rtf, .sylk, .xls, .xlsm .xlsx |
| Graphic File Types | .tiff |
| Disk Image File Types | .dmg (AppleDisk, KolyDMG, GPTDisk, HFSPlu), ISO9960 |
| Other File Types | EICAR, .lnk, .msg, .otf, .ttf |