About Advanced Threats Protection

Click to:

Today, web pages do not just contain plain text nested inside HTML tags. Instead, they are filled with Java applets, flash videos, ActiveX and other objects designed to run programs. Hackers routinely embed malicious scripts and applications not only on their own web sites but on legitimate websites that they have hacked as well. The Zscaler service identifies a variety of these objects and scripts and prevents them from downloading to the end user's browser.

There may be trusted web sites of partners or vendors whose webmail or file downloads might otherwise be blocked due to anti-virus, anti-spyware, or anti-malware policies. You can exempt these sites from inspection by adding them to the Bypassed URLs list. The service allows users to download content from these URLs without inspecting the traffic. If you want to learn about white listing URLs, see How do I whitelist URLs?

When you configure the Advanced Threats Protection policy, you can set a Suspicious Content Protection (Page RiskTM) value. The Zscaler service calculates the Risk Index of a page in real-time by identifying malicious content within the page (injected scripts, vulnerable ActiveX, zero-pixel iFrames, and many more) and creating a risk score, or Page Risk Index. Simultaneously, a Domain Risk Index is created using data such as hosting country, domain age, past results, and links to high-risk top-level domains. The Page Risk and Domain Risk are combined to produce a single score for the Risk Index; this score is then evaluated against the Suspicious Content Protection (Page RiskTM) value that you set in this policy.

Note that the Advanced Threats Protection policy is a global policy, therefore it will apply to all users.

To modify the Advanced Threats policy, follow the instructions below.

  1. Go to Policy > Web > Advanced Threats Protection.
  2. Click the Advanced Threats Policy tab and set the following:
    • Suspicious Content Protection (Page RiskTM) 
      Click on the bar to set the page risk tolerance of your organization. 

Screenshot of Zscaler's Suspicious Content Protection (PageRiskTM) used for Advanced Threats Protection

Low Risk: The green area at the left end of the continuum indicates that you are willing to block anything that is even slightly suspicious; there is no tolerance for risk.

High Risk: At the opposite end, the red area indicates high tolerance for risk and will allow uses to access even very risky sites. 

  1. Click Allow or Block to change any of the settings. 
  2. In Malicious Active Content Protection > Blocked Malicious URLs, type in the URLs you want to blacklist for your organization.
  3. Click Save and activate the change.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

The Advanced Threats Protection policy protects your traffic against the following advanced threats.

Whitelisted URLs take precedence over all options in the list above. For example, if a whitelisted URL is hosted on a web server in a blocked country, the service will allow users to download content from that website.

Botnets are systems in which attackers have secretly installed their software. This software is designed to communicate periodically with a "command and control" center, and a master application instructs the infected computers to send spam, phishing email, or perform other malicious tasks.

Command & Control Servers: This refers to connections to known command and control servers.

Command & Control Traffic: This refers to botnets sending or receiving commands to unknown servers. The Zscaler service examines the content of the requests and responses to unknown servers.

The Zscaler service blocks access to websites that attempt to download dangerous content to your browser when you visit them, as well as vulnerable ActiveX controls, and web browsers that are known to have been exploited will be blocked. Here you can also blacklist specific URLs for your organization.

Malicious Content & Sites: This refers to web sites that attempt to download dangerous content to your browser when you visit them. Increasingly, this content is downloaded silently without the user's knowledge or awareness. Malicious sites include exploit kits, compromised websites, and malicious advertising.

Vulnerable ActiveX Controls: This refers to ActiveX controls that are known to have been exploited. An ActiveX control is a software program for Internet Explorer, often referred to as an add-on.  

Browser Exploits: This refers to known web browser vulnerabilities that can be exploited, including exploits for Internet Explorer and Adobe Flash.

File Format Vulnerabilities: This refers to known file format vulnerabilities in Microsoft documents.

Blocked Malicious URLs: You can blacklist specific URLs for your organization in this field.

Phishing sites are websites that mimic legitimate banking and financial sites (for example, Citibank.com, PayPal.com, and so on). Their purpose is to fool you into thinking you can safely submit bank account, password, and other personal information which criminals can use to steal your money.  

Known Phishing Sites: This refers to websites known to be phishing sites.

Suspected Phishing Sites: The Zscaler service can inspect the content of a web site for indications that it may be a phishing site.

Spyware Callback: Adware/Spyware sites gather users' information without notification, and sell this information to advertisers or criminals. When Spyware Callback is blocked, the Zscaler service prevents the Spyware from calling back home.

Web Spam: This refers to web pages that pretend to contain useful information, to get higher ranking in search engine results or drive traffic to Phishing, Adware, or Spyware distribution sites.

Unauthorized communications refer to IRC tunneling applications, and "anonymizer" sites that are used to bypass firewalls and proxies.

IRC Tunneling: This refers to IRC traffic being tunneled over HTTP/S.

SSH Tunneling: This refers to SSH traffic being tunneled over HTTP/S.

Anonymizers: This refers to applications and methods used to obscure the destination and the content accessed by the user. The use of anonymizers may enable users to bypass policies that control access to websites and Internet resources.

Cross-site scripting (XSS) refers to vulnerabilities in web server applications that allow malicious users to inject their own code into the web site. When other users download a page from the web server, the malicious code is also sent to the user's browser. XSS includes the following:

Cookie Stealing: This refers to third party websites that gather cookie information, which can be used to identify users, track Internet activity, or steal a user's session.

Potentially Malicious Requests: These are a type of cross-site scripting request. Select Block to block cross-site scripting.

Blocked Countries: You can block requests to any country in the world based on ISO3166 mapping of countries to their IP address space. Websites are blocked based on the location of the web server. 

P2P File Sharing refers to Internet resources that allow users to easily share files with each other. The danger is that users may illegally share copyrighted or protected content. The file-sharing applications listed are some of the more common ones in use today.

BitTorrent: The Zscaler service can block the usage of BitTorrent, a popular P2P file sharing application. Content downloaded with BitTorrent is encrypted, therefore it cannot be inspected.

P2P Anonymizer refers to applications and methods to used obscure the destination and content accessed by the user. Use of anonymizers may enable users to bypass policies controlling what websites they may visit or Internet resources they may access.

Tor: The Zscaler service can block the usage of Tor, a popular P2P anonymizer protocol. Content downloaded with Tor is encrypted, therefore it cannot be inspected.

P2P VoIP lists several popular “Voice over IP” (VoIP) applications. While VoIP may be encouraged for its telephone cost savings, it may also be discouraged because of the high bandwidth utilization associated with it.

Google Talk: The Zscaler service can block access to Google Talk, a popular P2P VoIP application.