The size of objects that are additionally scanned by Advanced Threat Defense must be checked for compliance with the size limits that exist for this product.
There are some restrictions for Advanced Threat Defense regarding the size of web objects that can be scanned. The general size limit is 128 MB, which means that web objects of any type must not exceed this limit.
Other size limits exist for particular types of web objects. This is mainly due to the fact that sandboxing is performed on Advanced Threat Defense, which only allows, for example, a size of 10 MB for executable files.
Impact on the user experience
Web Gateway and Advanced Threat Defense communicate with each other over a REST API, which accepts files up to the general size limit by default. An end user who sent, for example, a request for downloading a 30 MB file is therefore first led to believe that this size is allowed.
When the sandboxing functions start operating, however, the file is rejected as too large. The end user receives a block message from Web Gateway, and the Advanced Threat Defense administrator sees an error message.
Configuring size limits on Advanced Threat Defense
File size limits can be set on Advanced Threat Defense using the set filesizes command.
Best Practice: Set all file size limits on Advanced Threat Defense to the same value.
We also recommend implementing this value on Web Gateway, for example, by creating a rule that only forwards files for scanning to Advanced Threat Defense if they do not exceed the size limit.
For more information about default size limits on Advanced Threat Defense and the methods of changing them, see the Skyhigh Security Advanced Threat Defense Product Guide.
Configuring size limits on Secure Web Gateway
On Web Gateway, you can configure a rule that blocks files if they exceed a particular size limit. By inserting this rule in a rule set for handling Advanced Threat Defense scanning activities, you can make sure that only files with suitable sizes are passed on to Advanced Threat Defense.
If you have imported the library rule sets for Advanced Threat Defense, you can insert the size limiting rule there. Some of these rule sets contain a rule for uploading web objects to Advanced Threat Defense.
By inserting the size limiting rule before this rule, files that exceed the size limit are blocked and the rule for uploading to Advanced Threat Defense is not executed.
Rule for setting a size limit
The following sample rule assumes that files must not exceed a size limit of 10 MB if they are to be scanned by Advanced Threat Defense. It blocks files that exceed this limit.
|Limit file size for scanning by Advanced Threat Defense
|Body.Size greater than 10000000)
|–> Block<ATD size limit>
To let the size check only apply to particular file types, suitable parts must be added to the rule criteria. For example, if you only want to cover executable files, you can add a criteria part that uses the MediaType.IsExecutable property.
To let the user who sent a request involving an over-sized object to the web know that and why this request was blocked, you can configure appropriate settings for the block action. In the sample rule, these settings are named ATD size limit.