Creating a Threat Protection Policy for Real-time Protection

Creating a Threat Protection Policy for Real-time Protection

Netskope can scan files stored in your cloud storage applications for malware. Real-time Protection policies scan files for malware by default. For added protection, optional configurations include allowlist and blocklist file hash lists for malware detection, and integrating Carbon Black for endpoint protection to use remediation profiles while creating an Real-time Protection policy.

To use the optional configurations in a Real-time Protection policy, configure these options before creating the Real-time Protection policy:

  • Create a file hash list: Specify the type of hash lists to detect in a malware scan.
  • Create a detection profile: Specify which hash list file types to allowlist and blocklist.
  • Integrate endpoint detection and remediation: Set up a 3rd-party integration, like with Carbon Black or CrowdStrike, for endpoint protection.
  • Create a remediation profile: Specify the action to take, like Isolate, Alert, or Add to Watchlist/Blocklist.

To configure threat protection for Real-time Protection policies:

  1. Go to Policies > Real-time Protection.
  2. Click New Policy and then Threat Protection.
  3. On the Real-time Protection policy page, enter the settings for Source (Users) and Destination (Cloud App/Category) first. Netskope recommends selecting all users and categories with the Activity set to Upload and Download.


    Netskope automatically scans browse activity and includes it in the download activity for elements/files from a webpage.

  4. In the Profile & Action section, select a Threat Protection profile. Netskope recommends selecting Default Malware Scan (predefined) because it automatically scan across all Threat Protection engines based on your organization’s license.Recommended Threat Protection Policy on the Real-Time Protection page.
  5. Select the Action for each severity level. The recommended action for every severity level is Block. This ensures the best protection for users. To apply a remediation profile for each severity level, select a remediation profile from the dropdown list.


    When the Fallback Action for Advanced File Scanning is set to Alert or Block, some events might not have policy name if:

    • There’s a TSS or DLP fail reason.
    • There’s no rule hit because you excluded the Threat Protection or DLP rule.
    • You don’t have a catch-all rule at the end of the policy.
  6. Optionally, if you selected File Type constraints and chose a Block action for a severity level, you can see the Block till benign verdict by dynamic threat analysis option. Select to block users from uploading or downloading a file until Netskope dynamic threat analysis provides a benign verdict. The analysis can take up to 10 minutes. See Creating a Threat Protection Policy for Patient Zero.
    The Block till benign verdict by dynamic threat analysis option in the Profile and Action section.
  7. Enter a name for the policy and click Save.

Now you are ready to use the malware and malicious sites pages.

Share this Doc

Creating a Threat Protection Policy for Real-time Protection

Or copy link

In this topic ...