Netskope Help

Threat Protection

Modern threats need a multi-layered security approach able to defend organizations from known threats and zero-days with the same level of efficacy. Netskope has built a comprehensive threat protection framework that allows organizations to defend against malware through different engines:

  • Signature-Based Antivirus (AV)

  • Web IPS

  • Command and Control (C2 or C&C) Infrastructure

  • Machine Learning-Based Detection

  • Advanced Heuristics Analysis

  • Cloud Sandboxing

While Signature-Based AV, IPS, DNS, callbacks, and threat intelligence indicators can detect and block malware in real time with Netskope fast scan, the Advanced Heuristics and Sandboxing engines require more time to analyze samples with deep scan. A malware detected by the deep scan engine can't be blocked at the first occurrence. However, its hashes and convicted URLs /domains are shared globally in the Netskope Cloud to block inline:

  • Within 1 hour for customers with the Advanced Threat Protection license.

  • Within 24 hours for customers with the Standard Threat Protection license.

The following architecture diagram illustrates how Netskope Threat Protection detects malware for your organization:

A diagram illustrating how Netskope Threat Protection detects malware.

You can integrate external intelligence into Netskope’s threat protection engines with malicious hashes, domains, or URLs using Cloud Threat Exchange (CTE).

Threat Protection for Cloud Storage Apps

As organizations move to the cloud, they are increasingly susceptible to modern day threats like malware and ransomware. One of the initial transitions to the cloud for organizations is in the cloud storage category, with a number of them using SaaS apps such as Microsoft OneDrive for Business, Google Drive, Box, Dropbox, etc. Files get into these cloud storage apps in a number of ways, like through third-party vendors, attachments saved from emails, and files uploaded from desktops. Not all files get scanned by endpoint systems. Netskope provides threat protection for files stored in enterprise-managed applications in the cloud storage category.

When a malicious file is found in a SaaS app, you have three choices based on severity: send a Skope IT alert, quarantine the file, or apply a malware remediation profile to a policy. With quarantine, Netskope uses the quarantine profile in Settings > Threat Protection > API-enabled Protection as the quarantine folder and tombstone. The malicious file is zipped and protected with a password to prevent users from inadvertently downloading the file. Netskope then notifies the admin specified in the profile. The quarantine option is only available for introspection mode. You can enable it in Settings > API-enabled Protection by selecting Malware, API Data Protection, and Quarantine for your instance.

With Standard Threat Protection, you scan your organization for malware, and with Advanced Threat Protection, you can scan for ransomware. However, if you don't have the Advanced Threat Protection license enabled, you can use threat protection with Real-time Protection and API Data Protection policies to detect files with malware as well as Risk Insights to detect malicious sites.