File interceptor operation

When running object scan jobs, File Threat Protection uses the file operation interceptor. It is set to one of the following file interception modes (InterceptorProtectionMode):

• Enforce (default): blocks files for the duration of the scan job that uses the file interceptor. No file can be accessed until the scan has been completed. When detecting infected objects, the solution performs the actions specified in the settings under Actions on detected objects.
• Audit: does not block files during the scan job that uses a file interceptor. Access to any file is allowed; scanning is performed asynchronously. When infected objects are detected, the solution only records an event in the Event Log. The actions specified in the settings under Actions on detected objects are not performed.

  If the Audit value is selected, the solution enables the notification mode of File Threat Protection.

The configured component settings are applied when File Threat Protection is activated in runtime policies. These settings are the same for all created runtime policies. If the applicable runtime policy is set to audit mode and InterceptorProtectionMode in File Threat Protection is set to Enforce, the solution blocks the files.

Page top