Virtual Analyzer

Procedure

1. Select Virtual Analyzer.
2. Enable Virtual Analyzer.

   Note It takes three minutes on average for Virtual Analyzer, if enabled, to analyze and identify the risk of an attachment or file, and the time could be as long as 30 minutes for some files.

3. Optionally select the Monitor and log only check box to enable Virtual Analyzer to work in monitor mode.

   Note This option is not available for Gmail. Virtual Analyzer in monitor mode still analyzes suspicious URLs, email messages, and files sent by Cloud App Security, which, however, only records them in logs and delivers them to end users without taking any actions configured here. This helps evaluate the Virtual Analyzer capability with zero impact on mail flow and file sharing. If Virtual Analyzer in monitor mode is enabled, all the following settings do not apply except that Cloud App Security notifies administrators upon detection of security risks, if enabled in Action.

4. Configure rule settings.

   Setting	Description
   Analyze the following	Select the type of objects that Virtual Analyzer applies to. Files Note This check box is selected by default and cannot be cleared. URLs Note This check box can be selected only when Web Reputation is enabled. If Web Reputation is disabled, this check box is cleared automatically.
   Apply to	(Exchange Online and Gmail only) Select the scope of email messages that Virtual Analyzer applies to. All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains. Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains. Note For details about internal domains, see Configuring the internal domain list For Exchange Online (Inline Mode), the scope is fixed to Inbound messages for inbound protection and Outbound messages for outbound protection. Inbound messages are sent from outside your organization to an address inside the organization, while outbound messages are sent from your organization to external addresses.

5. Click Approved/Blocked List.
6. (Exchange Online and Gmail only) Configure the approved sender list.
   1. Enable the approved sender list.
   2. Specify a sending email address or domain to bypass Virtual Analyzer scanning and click Add >.

      Note You can use the wildcard character (*) to represent any characters in the email address or domain name. Examples: *@example.com, name@*.com, *@*.example.com The following formats are invalid: *@*, *

   3. Optionally click Import to import sender email addresses in batches.
7. Configure Approved File List to add files that you do not want to send for further analysis by Virtual Analyzer.

   Note In this release, this option is not available for Microsoft Teams (Chat).

   1. Enable the approved file list.
   2. Specify the file name to exclude from scanning and click Add >.

      Note You can use the wildcard character (*) to represent any characters in the file name. Examples: *.exe, file*.exe, file* The following formats are invalide: *.*, * File names are case-insensitive, cannot exceed 255 characters, and cannot contain any of the following characters: / \ : ? < > " | A maximum of 1,024 file names is supported.

   3. Optionally click Import to import file names in batches.
   4. Optionally click Export to export the specified file names as a .txt file.
8. Click Action & Notifications.
9. Configure Action settings.
   Virtual Analyzer assigns a risk level to analyzed files based on the file's behavior in the virtual sandbox. Select the action based on this assigned risk level.

   For details about the actions, see Actions available for different services.
10. Configure Notification settings.

    Option	Description
    Notify administrator	Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Set the notification threshold which limits the number of notification messages to send. Threshold settings include: Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s). Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box. Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
    Notify User	Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.

    Note When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token list.

11. Click Save or select another policy configuration on the left navigation to continue with additional rules.