Home / Use cases / Malicious / Suspicious Files

Malicious / Suspicious Files

Files are the most common attack vector used by threat actors. Security solutions such as secure web gateways primarily rely on threat feeds and URL categorization which at times, won’t be sufficient to protect an enterprise. Attackers can easily employ techniques to masquerade content of the file and serve the file from known or broadly classified domains and thus evade content-specific and URL categorization-based checks respectively.

SquareX’s in-browser file analysis engine hooks into every file download and is capable of detecting potentially malicious content. Enterprises can even define granular policies for encrypted files such as the user must provide the password for decryption, and once the in-browser scan is performed and the file deemed safe, only then it can be downloaded or viewed. Combining this with available site properties such as domain age, number of redirects, and many more, an enterprise can design a robust policy for blocking file based threats.

Additionally, SquareX also incorporates popular threat feeds to block known malicious files.

Block download of files when file scanner verdict is malicious / suspicious

SquareX's in-browser malicious document detection is capable of looking through Macro-enabled Office Document's file structure, and source code to flag out the use of invasive functions, tampering, and AV evasion tactics used. Files deemed malicious or suspicious by SquareX's file scanner pose a threat to user systems. Blocking these downloads ensures that potentially harmful files are not executed. Admins can prompt ‘Block download of files when file scanner verdict is malicious / suspicious’ to create this policy. The outcome will be:

Block files containing VBA Macro

Files with embedded code, such as macros, can execute harmful scripts when opened. Blocking these files ensures that any potentially malicious macros are contained and cannot harm the user's system. Admins can leverage the policy generator by prompting ‘Block Files with VBA Macros’ to establish this policy. The expected outcome is:

Block download of files with file type mismatch

Attackers often evade security solutions by altering file extensions and sending malicious files via email or other communication channels. These platforms, optimised for delivery, typically do not perform in-depth file scanning, allowing potentially harmful files to slip through. SquareX detects signs of file tampering to ensure that such files do not reach the user’s device. For instance, files with mismatched types can disguise malicious content such as .exe as more 'harmless' PDF files. Blocking these downloads prevents users from opening harmful files that appear benign. Using the policy generating copilot, admins can prompt ‘Block Download of Files with File Type Mismatch’ to generate the appropriate policy. The expected outcome would be:

Block download of files more than 2GB in size

If your enterprise's endpoint security solutions have limitations on the file size that it can scan effectively, admins can consider creating a policy to block file download of files that exceed the scanning limit. To do so, they can prompt ‘Block Downloads of Files Larger than 2GB’. The outcome will be: