How do I configure the Advanced Threats Protection policy?

About Advanced Threats Protection

Today, web pages do not just contain plain text nested inside HTML tags. Instead, they are filled with Java applets, flash videos, ActiveX and other objects designed to run programs. Hackers routinely embed malicious scripts and applications not only on their own web sites but on legitimate websites that they have hacked as well. The Zscaler service identifies a variety of these objects and scripts and prevents them from downloading to the end user's browser.

When you configure the Advanced Threats Protection policy, you can set a Suspicious Content Protection (Page RiskTM) value. The Zscaler service calculates the Risk Index of a page in real-time by identifying malicious content within the page (injected scripts, vulnerable ActiveX, zero-pixel iFrames, and many more) and creating a risk score, or Page Risk Index. Simultaneously, a Domain Risk Index is created using data such as hosting country, domain age, past results, and links to high-risk top-level domains. The Page Risk and Domain Risk are combined to produce a single score for the Risk Index; this score is then evaluated against the Suspicious Content Protection (Page RiskTM) value that you set in this policy.

The Advanced Threats Protection policy also protects your traffic against the following advanced threats:

  • Botnet Protection
    Botnets are systems in which attackers have secretly installed their software. This software is designed to communicate periodically with a "command and control" center, and a master application instructs the infected computers to send spam, phishing email, or perform other malicious tasks.
    • Command & Control Servers: This refers to connections to known command and control servers.
    • Command & Control Traffic: This refers to botnets sending or receiving commands to unknown servers. The Zscaler service examines the content of the requests and responses to unknown servers.
  • Malicious Active Content Protection
    The Zscaler service blocks access to websites that attempt to download dangerous content to your browser when you visit them, as well as vulnerable ActiveX controls, and web browsers that are known to have been exploited will be blocked. Here you can also blacklist specific URLs for your organization.
    • Malicious Content & Sites: This refers to web sites that attempt to download dangerous content to your browser when you visit them. Increasingly, this content is downloaded silently without the user's knowledge or awareness. Malicious sites include exploit kits, compromised websites, and malicious advertising.
    • Vulnerable ActiveX Controls: This refers to ActiveX controls that are known to have been exploited. An ActiveX control is a software program for Internet Explorer, often referred to as an add-on.  
    • Browser Exploits: This refers to known web browser vulnerabilities that can be exploited, including exploits for Internet Explorer and Adobe Flash.
    • File Format Vulnerabilities: This refers to known file format vulnerabilities in Microsoft documents.
    • Blocked Malicious URLs: You can blacklist specific URLs for your organization in this field.
  • Fraud Protection
    Phishing sites are websites that mimic legitimate banking and financial sites (for example,,, and so on). Their purpose is to fool you into thinking you can safely submit bank account, password, and other personal information which criminals can use to steal your money.  
    • Known Phishing Sites: This refers to websites known to be phishing sites.
    • Suspected Phishing Sites: The Zscaler service can inspect the content of a web site for indications that it may be a phishing site.
    • Spyware Callback: Adware/Spyware sites gather users' information without notification, and sell this information to advertisers or criminals. When Spyware Callback is blocked, the Zscaler service prevents the Spyware from calling back home.
    • Web Spam: This refers to web pages that pretend to contain useful information, to get higher ranking in search engine results or drive traffic to Phishing, Adware, or Spyware distribution sites.
  • Unauthorized Communication Protection
    Unauthorized communications refer to IRC tunneling applications, and "anonymizer" sites that are used to bypass firewalls and proxies.
    • IRC Tunneling: This refers to IRC traffic being tunneled over HTTP/S.
    • SSH Tunneling: This refers to SSH traffic being tunneled over HTTP/S.
    • Anonymizers: This refers to applications and methods used to obsure the destination and the content accessed by the user. The use of anonymizers may enable users to bypass policies that control access to websites and Internet resources.
  • Cross-Site Scripting (XSS) Protection
    Cross-site scripting (XSS) refers to vulnerabilities in web server applications that allow malicious users to inject their own code into the web site. When other users download a page from the web server, the malicious code is also sent to the user's browser. XSS includes the following:
    • Cookie Stealing: This refers to third party websites that gather cookie information, which can be used to identify users, track Internet activity, or steal a user's session.
    • Potentially Malicious Requests: These are a type of cross-site scripting request. Select Block to block cross-site scripting.
  • Suspicious Destinations Protection
    You can block requests to any country in the world based on ISO3166 mapping of countries to their IP address space. Websites are blocked based on the location of the web server. Choose countries you want to block in the Blocked Countries menu.
  • P2P File Sharing Protection
    P2P File Sharing refers to Internet resources that allow users to easily share files with each other. The danger is that users may illegally share copyrighted or protected content. The file-sharing applications listed are some of the more common ones in use today.
    • BitTorrent: The Zscaler service can block the usage of BitTorrent, a popular P2P file sharing application. Content downloaded with BitTorrent is encrypted, therefore it cannot be inspected.
  • P2P Anonymizer Protection
    P2P Anonymizer refers to applications and methods to used obscure the destination and content accessed by the user. Use of anonymizers may enable users to bypass policies controlling what websites they may visit or Internet resources they may access.
    • Tor: The Zscaler service can block the usage of Tor, a popular P2P anonymizer protocol.  Content downloaded with Tor is encrypted, therefore it cannot be inspected.
  • P2P VoIP Protection
    P2P VoIP lists several popular “Voice over IP” (VoIP) applications. While VoIP may be encouraged for its telephone cost savings, it may also be discouraged because of the high bandwidth utilization associated with it.
    • Skype: The Zscaler service can block access to Skype, a popular P2P VoIP application.

Zscaler has a recommended Advanced Threats Protection Policy.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

NOTE: Whitelisted URLs take precedence over all options in this list. For example, if a whitelisted URL is hosted on a web server in a blocked country, the service will allow users to download content from that website.

Configuring Advanced Threats Protection

Note that the Advanced Threats Protection policy is a global policy, therefore it will apply to all users.

To modify the Advanced Threats policy:

  1. Go to Policy > Web> Advanced Threats Protection.
  2. Click the Advanced Threats Policy tab and set the following:
    • Suspicious Content Protection (Page RiskTM)
      The green area at the left end of the continuum (Low Risk) indicates that you are willing to block anything that is even slightly suspicious; there is no tolerance for risk. At the opposite end, the red area (High Risk), indicates a high tolerance for risk and will allow users to access even very risky sites. Click on the bar to set the page risk tolerance of your organization.
  1. Click Allow or Block to change any of the settings.
  2. In Malicious Active Content Protection > Blocked Malicious URLs, type in the URLs you want to blacklist for your organization.
  3. Click Save and activate the change.

Configuring Security Exceptions for Advanced Threats Protection

  1. Click the Security Exceptions tab.
  2. Under Do Not Scan Content from these URLs, list the URLs you don't want the service to scan. These URLs will be whitelisted for Advanced Threats Protection.
    Note that this applies to other web security policies as well, including Malware Protection and Sandbox. See How do I Whitelist URLs?
  3. Click Save and activate the change.

Note that this whitelist applies to the Advanced Threats Protection, Malware Protection, and Sandbox policies.