Malware Deep Scan is an additional layer of scanning capabilities available to Box Shield Customers.
This Shield feature leverages a deep learning model that analyzes uploaded and existing files for malicious or suspicious payload, providing superior detection coverage against sophisticated malware that Box's standard scanning may not detect. Coupled with external threat intelligence, Malware Deep Scan enhances protection against known malware and more novel malware possibly uploaded by an internal user or external collaborator.
To get started with Malware Deep Scan, enable the Malicious Content detection rule for your enterprise.
Enabling Malicious Content detection rule
- In the Admin Console's left pane, click Shield.
- In the top of the Shield window, click Detection Rules.
- In the top-right corner of the Detection Rules window, click Create Rule.
- Click on Malicious Content rule.
- Select how you want Shield to send alerts:
- To forward alerts to a third-party tool, click Publish alert to Box Event Stream.
- To alert specific users, under Notify Users, type a comma-separated list of users' account names
- To restrict downloads, click Restrict download of content. This prevent any user from downloading the file from any Box app; preview and online editing remain available.
- To enable the rule, click Start Rule.
Actions supported for Malware Deep Scan
A Malware Scan is triggered when a new file is uploaded to Box and when an existing file in Box is:
- Updated
- Downloaded
- Previewed
- Shared
- Copied
- Moved
Reviewing Malware Alerts
To view an alert's details:
- In the Admin Console's left pane, click Shield.
- At the top of the window, click Dashboard.
- Filter the alerts for Malicious Content.
- In the alert list table, click an alert.
- Box displays the alert detail page.
The alert detail page displays the following:
- Alert summary: overview of the alert including alert name, alert ID, alert type, risk score, alert created date, any download restrictions imposed, uploader of the malicious file and upload location.
- File details: information regarding file name, file version, file hash, file size, version uploaded date, file created date and last modified date.
- Threat details: Deep Scan and Reputation Scan results, when they were scanned, and malware family and description.
- Geographic activities: location of the account's activity at the time of the alert.
- Uploader activity: summarizes the account's activities, by activity type, at the time of the alert.
- File activity: insights on the file after it was uploaded.
- [New] Marking file as safe: Marking file as safe: mark low key malicious content as safe.
- [New] Revert to malicious if the file has previously been marked as safe needs to be reverted back to malicious.
- Modifying Files: if the file is marked as safe or reverted to malicious, 2 additional rows are added in file details for commenting and showing last override.
End User implications
- If malicious payload is detected when uploading content, a red banner appears above the preview page to warn the end user of the payload.
- Shield malware deep scan metadata is added to the content flagging it as malicious.
- When download restrictions are active, then end users are blocked from downloading and opening files with a desktop application. See below for modifications:
- If a file is marked safe, file restrictions are removed enabling download and opening file with a desktop application.
- If a file is reverted to malicious, file restrictions are reinstated disabling download and opening file with a desktop application.
File types supported by Malware Deep Scan
File formats supported:
- Macho32FileType
- Macho64FileType
- MachoFATFileType
- XarFileType
- TarFileType
- PDFFileType
- DMGFileType
- RTFFileType
- TTFFileType
- OTFFileTyp
- ZipFileType
- SevenZipFileType
- EICARType
- RARFileType
- PE32FileType
- PE64FileType
- PEFileType
- TIFFFileType
- JarFileType
- OLEInOOXMLFileType
- GzipFileType