Advanced Classification Engine (ACE) analysis overview

ACE advanced analysis includes:

  • Real-Time Content Classification returns a category for URLs that have not already been blocked by the active policy, and:
    • Are not in the Forcepoint URL Database, or
    • Are classified as a dynamic site

    Content classification adapts to rapidly-changing web content, including user- generated content, such as that found on social-networking sites.

    Optionally, you can select Analyze links embedded in Web content as part of content classification to provide more accurate categorization of certain types of content. For example, a page that otherwise has little or no undesirable content, but that links to sites known to have undesirable content, can be more accurately categorized. Link analysis is particularly good at finding malicious links embedded in hidden parts of a page, and in detecting pages returned by image servers that link thumbnails to undesirable sites.

  • Real-Time Security Classification analyzes web pages in real time to discover security threats and malicious code in HTTP. You can enable advanced analysis for one of the following:
    • Sites with elevated risk profiles, as identified by Security Labs
    • Sites with elevated risk profiles and sites with lower risk profiles. Note that analyzing all inbound content is resource intensive and may result in slower web performance.
    Note: For an I Series appliance deployment, when performance optimization is selected the cloud service analyzes only sites with elevated risk profiles.

    You must enable Real-Time Security Classification to use the options on the Application Controls tab. See Application Control tab.

  • Antivirus File Analysis - Inbound analyzes files using traditional antivirus (AV) definitions to find virus-infected files that users are attempting to download.
  • Advanced Detection File Analysis - Inbound analyzes files using advanced detection techniques to discover malicious content, such as viruses, Trojan horses, and worms, returning a threat category for policy enforcement.

    You can configure the specific types of files to analyze under File Type Analysis Options. Note that executable file analysis is configured separately (see Configuring file analysis).

    Note: If file analysis is configured to include multimedia files, when the streaming media is buffered and analyzed, the connection to the server may time out. In such cases, the best remedy is to create an analysis exception for that site. See Analysis exceptions.
  • Rich Internet Application Analysis is applied to active content like Flash and Silverlight to detect and block malicious content.

    There are also two ACE outbound traffic analysis options that are enabled by default and cannot be turned off. This ensures that viruses and other malicious content cannot be sent from your network.

  • Antivirus and Advanced Detection File Analysis - Outbound parallels the inbound file analysis applied by the Antivirus File Analysis and Advanced Detection File Analysis.
  • Bot and Spyware “phone home” Traffic Analysis detects phone-home communication attempts from malware in your network and ensures that they are categorized and blocked.

The cloud service must analyze and block outbound malicious traffic in order to protect itself from being perceived as a malicious actor. Some origin servers blocklist client IP addresses if they detect malicious communications or hack attempts. If malicious communications were permitted to go through cloud proxies, the proxies would be in blocklist. This could mean that a single infected client could cause all clients browsing via the same cluster to be in blocklist.

This traffic is also logged, so you can run a report to obtain a list of the infected computers in your network.