Advanced Threat Detection
This feature may not be available on all platforms. Please check your system's actual page if your device delivers this feature.
Advanced Threat Detection learns advanced threat detection signatures to analyze the suspicious traffic of hosts, as well as detect malicious behavior and identify APT (Advanced Persistent Threat) attacks, and generates threat logs.
- You need to update the Malware behavior model database before enabling the function for the first time. By default, System will update the database at the certain time everyday, and you can modify the updating settings according to your own requirements. For more information, see Upgrading System.
- Advanced Threat Detection is controlled by license. To use Advanced Threat Detection, apply and install the StoneShield license.
Configuring Advanced Threat Detection
To realize the zone-based Advanced Threat Detection, take the following steps:
- Create a zone. For more information, refer to Security Zone；
- In the Zone Configuration dialog box, select Threat Protection tab.
- Select the Enable check box after the Advanced Threat Detection.
- If you need to capture packets, select the Capture Packetscheck box. System will save the evidence messages and have support to download it.
Viewing Advanced Threat Detection Information
To view the Advanced Threat Detection information, take the following steps:
- Select iCenter.
- In Threat tab, click , select Detected By and Advanced Threat Detection in the drop-down list, and then click threat entry name in the list.
- View the advanced threat detection information, malware reliability information and so on.
- Click Evidential packets or Relational packets drop-down list and select View to view the detail of packets.
- Click Evidential packets or Relational packets drop-down list and select Download to download the data packets.
- Click in Admin Action, and select the threat status from the Change to drop-down list in Admin Action dialog box.
- Open: When the threat entry status is 'Open', system will display it again next time.
- False Positive: When the threat entry status is ' False Positive ', system will upload it to the cloud and display it again next time.
- Ignore: When the threat entry status is 'Ignore ' , it will not participate in the 'Risk Index' score.
- Confirmed: When the threat entry status is 'Confirmed ' , system will display it again next time.
- Fixed: When the threat entry status is ' Fixed ' , it will not participate in the 'Network Risk Index' score.