How file filtering works

Use file filtering to scan files for malware and to restrict which file types are allowed through the NGFW Engine.

Note: File filtering is only available for the following protocols: FTP, HTTP, HTTPS, IMAP, IMAPS, POP3, and POP3S. DLP scanning is also supported for SMTP.

You can configure one or more malware detection methods that are applied to the traffic that matches the rules in the File Filtering Policy. Scanning is done in the following order:

  1. The file is checked against file reputation information in the engine's cache.

    If no match is found, the configured malware detection methods are applied to the traffic in the order listed here.

  2. If DLP scanning is enabled, the NGFW Engine forwards the file to an external DLP server.
    Note: DLP scanning is typically used for outbound file transfers to prevent sensitive data from being sent out. DLP scanning and other file filtering methods are not typically applied to the same traffic.
  3. The file is scanned using one of the following file reputation services:
    • McAfee® Threat Intelligence Exchange (TIE)
    • McAfee® Global Threat Intelligence™ (McAfee GTI)
  4. The file is scanned using anti-malware scan on the NGFW Engine.
  5. The file is scanned using one of the following sandboxes:
    • Cloud Sandbox — Forcepoint Advanced Malware Detection
    • Local Sandbox — Forcepoint Advanced Malware Detection

The NGFW Engine allows or blocks the file according to the action defined in the File Filtering Policy.