Symantec Content Analysis System – central component of the ATP system

One of the products that was among the first to be integrated into the Symantec portfolio following the acquisition of Blue Coat, and which boasts the largest number of deployed upgrades, is the Content Analysis System product for advanced analysis of malicious threats delivered via web and mail gateway systems.

Content Analysis System was primarily linked with and relied on ProxySG – secure web gateway solution which forwards suspicious files for analysis by integrating with the ICAP protocol. Recent upgrade (version 2.1) added a series of functionalities which transformed CAS into an essential component of the Advanced Threat Protection (ATP) system.

By consolidating and integrating Symantec ProxySG (secure Internet access), Messaging Gateway (mail channel protection), Content Analysis System (file analysis), Malware Analysis (sandboxing) and Endpoint Prevention 14 (end-to-end protection) products, we have achieved the following:

  • Complete protection of web and mail traffic – two most sensitive primary sources of malicious threats
  • Blocking known threats – URLs, malware, and spam – on the gateway, and additional analysis of suspicious objects not recognized by ProxySG or SMG
  • Optional use of two concurrent antivirus engines (support for Symantec AV engine is coming soon)
  • Analysis of unknown objects using static analysis and machine learning engine (in CAS 2.2 Symantec’s own Advanced Machine Learning engine is used)
  • Execution of potentially dangerous samples in a controlled and customizable sandbox environment
  • Antimalware client integration (Symantec Endpoint Prevention 14)
Layered security and sandboxing system optimization – most threats are stopped on the ProxySG, additional analysis is performed on CAS using several engines, and unknown files are executed in a separate sandbox environment.

Sandbox is now integrated on CAS hardware

Malware Analysis product functionalities can now be used on existing Conent Analysis hardware. The S400 and S500 hardware series are already supported, with future upgrades (CAS 2.2) offering the option of file simulation in a cloud sandbox on all CAS hardware devices. This ensures a more flexible ATP system without the need for dedicated hardware in smaller environments. Depending on client needs, combinations include dedicated hardware for each system (ProxySG + CAS + MAA), Advanced Secure Gateway platform (ProxySG and CAS on a single device) linked with a separate Malware Analysis system or ProxySG with sandboxing capabilities integrated on CAS.

Examples of possible combinations and integrations vary from virtualized products and dedicated hardware to cloud solutions.

In this scenario, CAS is acting as a pre-filter that covers and eliminates most of the threats using layered analysis – URL and file reputation, optional dual antivirus engine, predictive behavioral analysis and machine learning (Symantec Advanced Machine Learning), with final sandboxing on the CAS itself, separate MAA device or FireEye.

Web and email ATP integrated in a single product

By integrating Blue Coat and Symantec portfolios, CAS now covers the email channel, which is the most common source of threats in enterprise-sized organizations. Starting from version 10.6.3, Symantec Mail Gateway comes integrated with CAS to forward samples detected in the email channel. This solution provides advanced threat protection (ATP) by covering two largest infection vectors in any organization. Integration is done using the REST API which enables integration with third-party solutions. Relevant documentation can be found on the Support Portal.

Block detected threats directly on the endpoint Symantec Endpoint Protection 14

Integration with Symantec Endpoint Protection (SEP) 14 Manager provides clients with the ability to quickly protect their endpoint environments from unknown threats detected on the CAS using heuristics and sandboxing. After detecting malicious content, this information is shared with the SEP Manager where the administrator has the option to block the threat on SEP clients and protect the system against infections.

Upgrade also available on ASG

Advanced Secure Gateway is a hardware platform that combines ProxySG and CAS products, and also provides integration with the Symantec Endpoint Protection environment in the latest update. Sandboxing functionality remains available only on separate CAS and MAA hardware.

Please contact us for advice on sizing, integration with existing environments, receiving informational offers and additional information on these products.

More information: