IMSS leverages ATSE to determine which messages are sent to
Virtual Analyzer. When enabled, ATSE provides an additional layer of protection against
advanced threats, such as document exploits and other threats used in targeted
attacks.
ATSE detections are identifiable through the prefixes HEUR, EXPL and
AFI MACRO. If the detection name contains one of these prefixes, IMSS:
-
Sends the entire message (including attachments) to Virtual Analyzer for further analysis.
-
Determines further action based on the analysis result from Virtual Analyzer.
Virtual Analyzer assigns a risk level to each analyzed message. IMSS queries this risk level approximately 60
seconds after sending the message to Virtual Analyzer. After receiving the risk level,
IMSS determines whether the message is a clean
message, a Probable advanced threat, or an Analyzed advanced
threat based on the risk level and the security level that you select on the
IMSS management console.