File sharing with sandbox/malware analysis

Ambarishrh

We have a requirement to setup a secure file sharing option to send and receive files between our employees and our external vendor. I am looking for a solution which enables file server, but along with that, some additional features which analyses the files for any threats. As i understand, the way products like box, one drive, Dropbox etc. works to protect against ransomware for example is to restore from previous version. This doesn't protect an end point from getting infected. We do have endpoint protection but still wanted to ensure the files we get from outside is also scanned.

I've seen https://www.getfilecloud.com/

The part that I am interested in is:

• Ransomware Protection:
  Heuristic file content scanning engine to detect and block Ransomware

• Anti-Virus scanning:
  Automatic anti-virus scanning of files when uploading files

Only thing on the AV scanning is that the AV used is clamav https://www.getfilecloud.com/FileCloud_Security_FAQ.pdf

I am trying to find the same functionality on NextCloud, but didnt see anything specific on heuristic analysis

NashBrydges

ClamAV is available for Nextcloud.

https://docs.nextcloud.com/server/12/admin_manual/configuration_server/antivirus_configuration.html

scottalanmiller

@nashbrydges said in File sharing with sandbox/malware analysis:

ClamAV is available for Nextcloud.

https://docs.nextcloud.com/server/12/admin_manual/configuration_server/antivirus_configuration.html

Very nice.

Ambarishrh

@nashbrydges said in File sharing with sandbox/malware analysis:

ClamAV is available for Nextcloud.

https://docs.nextcloud.com/server/12/admin_manual/configuration_server/antivirus_configuration.html

@nashbrydges said in File sharing with sandbox/malware analysis:

ClamAV is available for Nextcloud.

https://docs.nextcloud.com/server/12/admin_manual/configuration_server/antivirus_configuration.html

Good to see that clamav is available on next cloud. As mentioned in my original post, i would like to see more about the heuristic analysis, as most ransomware or zero day threats cant be detected by signature based security solution like an av. File cloud fits this part well even though I am not sure yet on how good that heuristics analysis is.

Another option i would like to explore is to have some sort of sandboxing or behavior analysis tool on local storage and use next cloud as a solution along with clamav engine

Ambarishrh

Reading more on https://www.getfilecloud.com/blog/2017/10/filecloud-unveils-breach-intercept-to-safeguard-organizations-against-dramatic-increase-in-cyber-attacks/#.WnnnenNRU0M

NashBrydges

@ambarishrh Ransomware protection is required because users open the files and run the contents (mostly). If your server is not going to open files but instead only host the files for users to access, then the ransomware protection should be on the endpoint.

File cloud compares mime type against file content. If someone uploads a real Word document that's been scripted to retrieve and launch a payload, and the user clicks to allow it to run, this mime checking will be of little consolation since the Word document will have passed the mime check and you're back as the user being the weak link (while their files are getting encrypted).

You're right though, the ransomware protection that is offered as an app for Nextcloud only check for known bad file extensions/names.

https://nextcloud.com/blog/nextcloud-presents-ransomware-protection-app/

Ambarishrh

There's an array of protection being enforced in our endpoints and immediate plan even includes end user training. Am evaluating and trying to find the right product and my first choice as of now is to go with knowbe4 security awareness training. I believe, adding another later of protection is always good.

On our exchange level (o365), we have enabled attachment scanning on executables (we have advanced threat protection) as part of our package and we could see that some of our vendors attachments are now being blocked and identified as Trojans. We are still risk with getting files from usb and so thinking of providing a file sharing solution that has some sort of protection on that level as well

travisdh1

Do you have some sort of intrusion detection service running right now? (Wazuh, OSSIM, or one of the paid for solutions?) If you do, between that and the ClamAV, you should be as well protected as you could possibly by.

Edit: I should specify to never skimp on user training! KnowB4 is a great tool.