Watch a video about Malware Protection

The Zscaler service uses an industry-leading AV vendor for signature-based detection and protection so it can provide comprehensive web security. In addition to virus and spyware protection, the service uses malware feeds from its trusted partners, such as Microsoft and Adobe, as well as its own technologies to detect and block malware. You can capture and store traffic blocked through this policy as PCAP files. To learn more, see About Traffic Capture. The Malware policy applies globally to all an organization's locations.

You can also configure exceptions to the Malware Protection policy. To learn more, see Configuring Security Exceptions for the Malware Protection Policy. Zscaler also has a recommended policy for Malware Protection.

To learn how this policy fits into the overall order of policy enforcement, see About Policy Enforcement.

Configuring the Malware Protection Policy

Zscaler recommends that you don't change the default settings of the Malware Protection policy to ensure the security of your user traffic.

To configure the Malware Protection policy:

1. Go to Policy > Malware Protection.
2. In the Malware Policy tab:
   • Inspect Inbound Traffic: Enable the Zscaler service to scan internet traffic coming into your network for malicious content. It scans traffic for all protocols you've enabled below and scans all files, including those with up to 5 layers of recursive compression.
   • Inspect Outbound Traffic: Enable the Zscaler service to scan outgoing internet traffic for malicious content. It scans traffic for all protocols you've enabled below and scans all files, including those with up to 5 layers of recursive compression.
   • Inspect HTTP: Enable the Zscaler service to scan HTTP traffic (and HTTPS traffic if SSL Inspection is enabled) in real time. The Inspect Inbound/Outbound Traffic options above determine whether inbound, outbound, or both types of traffic are scanned. The service scans all files, including those with up to 5 layers of recursive compression.
   • Inspect FTP over HTTP: Enable the Zscaler service to scan FTP over HTTP traffic in real time. The preceding Inspect Inbound/Outbound Traffic options above determine whether inbound, outbound, or both types of traffic are scanned. The service scans all files, including those with up to 5 layers of recursive compression.
   • Inspect FTP: Enable the Zscaler service to scan FTP traffic in real time. The Inspect Inbound/Outbound Traffic options above determine whether inbound, outbound, or both types of traffic are scanned. The service scans all files, including those with up to 5 layers of recursive compression.

Zscaler offers FTP traffic inspection as part of the FTP Control policy. To learn more, see Configuring the FTP Control Policy.

• Unwanted Applications: Allow or Block unwanted files that are also downloaded when users download a program they want.
• Trojans: Allow or Block malicious programs that are presented as beneficial or useful.
• Worms: Allow or Block malicious programs that duplicate themselves to spread malicious code to other devices.
• Sandbox Ransomware: Allow or Block malicious programs that can encrypt files and prevent users from accessing their devices, files, or data until a ransom payment is made.
• Other Viruses: Allow or Block malicious programs that cause damage to systems and data. This category refers to any viruses that don't fit into the more specific malware categories. The Zscaler service detects other viruses through file reputation or signature matching (e.g., antivirus).
• Remote Access Tool: Allow or Block downloads from tools that are common from remote access sites.
• Adware: Allow or Block malicious files that automatically render advertisements and install adware.
• Spyware: Allow or Block malicious files that covertly gather information about a user or an organization.

If Traffic Capture is enabled, the Capture option appears when Block is selected. Captured traffic is stored in PCAP files for later analysis. To enable Traffic Capture for this policy, see Configuring Traffic Capture.

3. Click Save and activate the change.