icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Configuring the Data at Rest Scanning Malware Detection Policy

Watch a video about SaaS Security Data at Rest Scanning and policy configuration

The SaaS Security Data at Rest Scanning Malware Detection policy allows you to create rules to discover threats to data at rest in sanctioned SaaS applications.

In order to inspect content based on a configured policy rule's specifications, you must add it to a scan schedule. The Zscaler service does not inspect content until you configure a scan. To learn more, see About SaaS Security Scan Configuration.

To configure the Malware Detection policy:

  1. Go to Policy > SaaS Security > Data at Rest Scanning.
  2. Click Malware Detection.
  3. In the Malware Detection tab, choose one of the following SaaS application types from the drop-down menu:

    • To add a Malware Detection rule for collaboration applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
      2. For Action: Select the action for the rule to take when it detects malware:
        • Quarantine Malware: The Zscaler service quarantines the malware:
          • For Slack, the Zscaler service creates a channel called Zscaler_Quarantine and moves the malware to the channel for quarantine.
          • For Microsoft Teams, the Zscaler service creates a site called Zscaler_Quarantine in Sharepoint and moves the malware files from all the channels to this location.
          • For Webex Teams, the Zscaler service creates a team called Zscaler_Quarantine and moves the malware to the team for quarantine.
        • Remove Malware: The Zscaler service deletes the malware.
        • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page (Administration > Data Loss Prevention > Notification Template > Quarantine). To learn more, see About Quarantine Tombstone File Templates.
      3. Click Save and activate the change.
      Close

    • To add a Malware Detection rule for CRM applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
      2. For Action: Select the action for the rule to take when it detects malware:
        • Quarantine Malware: The Zscaler service quarantines suspicious files.
        • Quarantine Location: This field appears only if you select the Quarantine Malware action. This is the location where malicious files are moved for quarantine. The Zscaler service creates a folder or library called Zscaler_Quarantine for the location.
        • Remove Malware: The Zscaler service deletes the suspicious file.
        • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page (Administration > Data Loss Prevention > Notification Template > Quarantine). To learn more, see About Quarantine Tombstone File Templates.
      3. Click Save and activate the change.
      Close

    • To add a Malware Detection rule for email applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
        • Scan Inbound Email Links: Select Enabled to allow the Zscaler service to inspect links included in inbound emails. If you select Disabled, the Zscaler service doesn’t inspect the links.
      2. For Action: Select the action for the rule to take when it detects malware:
      • Apply Email Tag: The Zscaler service reports the incident and adds an unsafe attachment or link label to the email.
        When you choose this action, the Label Name field appears. From this drop-down menu, you can choose an email label you want the rule to apply to the emails. The Zscaler service automatically creates an email category or an email label in the users’ email account if it hasn’t already been created.
      • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
      1. Click Save and activate the change
      Close

    • To add a Malware Detection rule for file sharing applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Site: Select the sites to which you want to apply the rule. You can search for a site or select all sites.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
      2. For Action: Select the action for the rule to take when it detects malware.
        • Quarantine Malware: The Zscaler service quarantines the suspicious file.
        • Quarantine Location: This field appears only if you select the Quarantine Malware action. This is the location where malicious files are moved for quarantine. The Zscaler service creates a folder or library called Zscaler_Quarantine for the location. To specify the quarantine location:
          • For Box, enter the Box ID for the user who owns the folder. The service creates the folder on the user’s account.
          • For Confluence, enter the ID for the user who owns the folder. The service creates a space in the user's private location. It also creates a page under the same location to quarantine the malware files.
          • For Dropbox, enter the Dropbox ID for the user who owns the folder. The service creates the folder on the user’s account.
          • For Google Drive, enter the Google ID for the user who owns the folder. The service creates the folder on the user’s account.
          • For OneDrive, enter the OneDrive ID for the user who owns the folder. The service creates the folder on the user’s account.
          • For ShareFile, enter the ShareFile ID for the user who owns the folder. The service creates the folder on the user’s account.
          • For SharePoint, enter the SharePoint site address where the library belongs. The service creates the folder on the SharePoint site.
        • Remove Malware: The Zscaler service deletes the suspicious file.
        • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page (Administration > Data Loss Prevention > Notification Template > Quarantine). To learn more, see About Quarantine Tombstone File Templates.
      3. Click Save and activate the change.
      Close

    • To add a Malware Detection rule for Generative AI applications:

      1. Click Add Malware Detection Rule.

        The Add Malware Detection Rule window appears.

      2. Define the criteria:
        • Rule Name: Enter a rule name for the policy.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Rule Label: Select a rule label to associate it with the rule.
      3. For Action: This field cannot be changed. The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
      4. Click Save and activate the change.
      Close

    • To add a Malware Detection rule for ITSM applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
      2. For Action: Select the action for the rule to take when it detects malware.
        • Quarantine Malware: The Zscaler service quarantines suspicious files.
        • Quarantine Location: This field appears only if you select the Quarantine Malware action. This is the location where malicious files are moved for quarantine. The Zscaler service creates a folder or library called Zscaler_Quarantine for the location.
        • Remove Malware: The Zscaler service deletes the suspicious file.
        • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page (Administration > Data Loss Prevention > Notification Template > Quarantine). To learn more, see About Quarantine Tombstone File Templates.
      3. Click Save and activate the change.
      Close

    • To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.

      To add a Malware Detection rule for public cloud storage application:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. In the Add Malware Detection Rule window:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Buckets: This is only applicable for Amazon S3 and Google Cloud Platform tenants. Select the buckets for the Zscaler service to inspect for malware. You can select up to 1000 buckets.
        • Blob Containers: This is only applicable for Microsoft Azure tenants. Select the blob containers for the Zscaler service to inspect for malware. You can select up to 1000 blob containers.

      Before you can select buckets or blob containers, you must have saved this rule and created a scan schedule. To learn more, see Configuring the Data at Rest Scanning Policy.

      • Status: Enable or disable the Zscaler service from inspecting data for malware.
      • Rule Label: Select a rule label to associate it with the rule.
      1. For Action: Select the action for the rule to take when it detects malware. The number of actions available depends on the selected SaaS Application Tenant.
        • Quarantine Malware: The Zscaler service moves the malware to the quarantine bucket or blob container created for the tenant. To learn more, see Adding SaaS Application Tenants.
        • Remove Malware: The Zscaler service deletes the malware.
        • Report Malware: The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page (Administration > Data Loss Prevention > Notification Template > Quarantine). To learn more, see About Quarantine Tombstone File Templates.
      2. Click Save and activate the change.
      Close

    • To add a Malware Detection rule for source code repository applications:

      1. Click Add Malware Detection Rule.

      The Add Malware Detection Rule window appears.

      1. Define the criteria:
        • Application: Select an application from the list.
        • Saas Application Tenant: Select the tenant for the application.
        • Buckets: This is only applicable for GitLab tenants. Select the buckets for the Zscaler service to inspect for malware. You can select up to 32 buckets.
        • Status: Enable or disable the Zscaler service from inspecting data for malware.
        • Rule Label: Select a rule label to associate it with the rule.
      2. For Action: This field cannot be changed. The Zscaler service reports the incident, but doesn’t quarantine or remove the malware.
      3. Click Save and activate the change.
      Close
Related Articles
Understanding the Data at Rest Scanning PolicyAbout Data at Rest Scanning DLPConfiguring the Data at Rest Scanning DLP PolicyConfiguring the Data at Rest Scanning DLP Policy ExceptionsAbout Data at Rest Scanning Malware DetectionConfiguring the Data at Rest Scanning Malware Detection PolicyConfiguring the Data at Rest Scanning Malware detection Policy ExceptionsAbout SaaS Security Scan ConfigurationUnderstanding SaaS Security Scan SchedulesConfiguring SaaS Security Scan SchedulesConfiguring the Data at Rest Scanning Exceptions