Skip to main content

Content Inspection Rules on Zenconsole

Published on:
.
2 min read

Zenarmor Content Inspection is a critical component of modern network security policies. It ensures that every file and DNS request passing through your environment is thoroughly examined for potential threats. Instead of relying solely on perimeter defenses, the Zenarmor Content Inspection feature provides deep visibility and control over the actual content being transmitted, whether it is a downloaded file or a DNS query.

By enabling Zenarmor Content Inspection, organizations can have the following capabilities.

  • Detect and block hidden malware before it executes.
  • Identify covert data exfiltration attempts through DNS tunneling.
  • Enforce consistent security standards across all devices and users.

The Content Inspection feature is accessible under each policy. Once inside, you will find two essential protective layers: Realtime File Scanning and DNS Deep Inspection.** These tools enable IT administrators to proactively prevent advanced threats and ensure compliance with corporate security requirements.

Figure 1. Zenarmor Content Inspection

Realtime File Scanning

Zenarmor Realtime File Scanning is a vital security capability that analyzes downloaded files in-line, examining their origins, behaviors, and trust signals to prevent harmful payload execution. This feature helps organizations detect and prevent hidden threats.

When Realtime File Scanning is enabled, the system inspects several critical file categories, which are frequently exploited in attacks. You can find the file categories below.

  • PDF
  • Windows EXE (executable)
  • Linux ELF (executable)
  • macOS Mach-O (executable)
  • Android Dex (executable)
  • ZIP archives
  • Web Assembly
  • Shell Script
tip

Zenarmor Realtime File Scanning feature is only available for SSE and higher editions.

This extensive protection ensures security across different operating systems and commonly used file formats. By scanning documents, executables, and compressed files in real-time, Zenarmor Realtime File Scanning helps organizations proactively defend against advanced persistent threats (APTs) and cross-platform malware campaigns.

To tailor Realtime File Scanning to your organization’s needs, the dropdown menu provides three enforcement modes. These options allow administrators to decide whether files should be bypassed, only monitored, or fully blocked, ensuring the right balance between security and operational continuity:

  • Disabled: No file scanning will occur. Files are delivered without inspection. This mode should be reserved for trusted environments where inspection is unnecessary.
  • Log: Files are scanned and results are recorded in logs, but no blocking action is taken. This mode is particularly useful during testing or pilot phases, allowing administrators to observe potential threats without impacting end users. You may view these logs on your Reports or Live Sessions Explorer pages.
  • Block: Files are scanned in real time, and any malicious or suspicious file is immediately prevented from being delivered. This is the most secure option and is recommended for production environments where maximum protection is required.

Figure 2. Zenarmor Realtime File Scanning Settings

How to Enable Realtime File Scanning

You may follow these steps to locate and configure the Realtime File Scanning option in your policy settings:

  1. Open your browser and navigate to Zenconsole.
  2. Enter your username and password.
  3. Click Policies on the left-hand sidebar. This will expand the menu to show the following sub-options, Internet Security Policies and Private Access Policies.
  4. Click Internet Security Policies.
  5. From the list of available policies, choose the one you want to configure (e.g., security).
  6. In the policy settings, go to the Content Inspection tab.
  7. Locate the “Perform inline scan of downloaded files” option with a dropdown menu on Realtime File Scanning pane.
  8. Select the desired enforcement mode from the dropdown menu.
    • Disabled
    • Log
    • Block

The setting is applied instantly; no manual saving is required. Once selected, your enabled policy will begin enforcing the chosen mode immediately.

DNS Deep Inspection

DNS Deep Inspection is an advanced security capability that analyzes DNS traffic at a packet level to detect hidden threats, protocol anomalies, and covert communication channels. Since DNS is a core service that rarely gets blocked in networks, attackers often exploit it for data exfiltration or to control infected devices.

By enabling DNS Deep Inspection in Zenarmor, organizations gain deeper visibility into DNS activities and can stop sophisticated attack techniques before they cause harm.

tip

Zenarmor DNS Deep Inspection feature is only available for paid editions.

Below are the available DNS Deep Inspection options you can configure.

Inspect DNS traffic for malicious DNS tunnels

DNS Tunneling is an advanced technique often exploited by cybercriminals to bypass network security measures. By using DNS queries and responses as a covert channel, attackers can disguise malicious traffic as legitimate DNS activity. This allows them to exfiltrate sensitive data, deliver commands, or maintain communication with compromised systems without triggering traditional security alerts.

Zenarmor’s Block DNS Tunneling feature provides a robust defense against this threat. When enabled, Zenarmor performs a deep inspection of DNS traffic to detect and block tunneling attempts proactively. This prevents attackers from leveraging covert DNS channels for data exfiltration or evading detection mechanisms.

Since DNS Tunneling is particularly difficult to identify with conventional tools, having a proactive solution is critical. Zenarmor ensures that your network remains resilient against data exfiltration, covert channel communication, and advanced evasion techniques.

In summary, enabling the Block DNS Tunneling feature strengthens your security posture, safeguards sensitive information, and enhances overall network protection against emerging threats.

Inspect DNS traffic for malformed/non-standard DNS transactions

Malformed or non-standard DNS queries can indicate attempts to exploit vulnerabilities in DNS servers or resolvers, as well as signs of misconfigured or compromised devices within the network. Attackers may craft abnormal DNS packets to crash a resolver, inject malicious data, or use protocol irregularities to bypass detection.

Zenarmor’s Malformed DNS protection automatically inspects DNS traffic for suspicious or corrupted queries. When this option is enabled, malformed requests are blocked before they can cause disruption or be leveraged in an attack. In addition, detecting such traffic can help administrators identify malfunctioning endpoints or devices that may still be infected with malware.

By enabling this feature, organizations strengthen their defenses against protocol abuse, reduce the risk of DNS-based exploitation, and ensure the integrity of their DNS infrastructure.

Inspect DNS traffic for botnet DGA domain queries

Botnets frequently rely on Domain Generation Algorithms (DGA) to create large numbers of random domain names, making it extremely difficult to predict or block their communication patterns using traditional domain-based detection methods. This allows infected devices to reach Command and Control (C&C) servers through constantly shifting domains, bypassing conventional security defenses.

Zenarmor’s Botnet DGA Domains protection provides a critical layer of defense against this evasive technique. When enabled, the system inspects DNS queries in real time to identify and block suspicious, algorithm-generated domains before they can be resolved. This prevents botnet agents from establishing communication with their C&C infrastructure and stops malicious activity at its root.

Because DGA-based domains are dynamic and unpredictable, they pose a significant challenge to cybersecurity teams. By proactively blocking these queries, Zenarmor ensures your network remains resilient against advanced botnet strategies, adding an essential layer of protection against evolving threats.

How to Enable DNS Deep Inspection

To configure DNS Deep Inspection in Zenconsole, follow the steps below:

  1. Open your browser and log in to Zenconsole with your username and password.
  2. Navigate to Policies on the left-hand sidebar.
  3. Click Internet Security Policies.
  4. Select the policy you want to configure (for example: Security).
  5. Go to the Content Inspection tab.
  6. Scroll down to the DNS Deep Inspection section.
  7. Under this section, you will see three available options:
    • Inspect DNS traffic for malicious DNS tunnels
    • Inspect DNS traffic for malformed/non-standard DNS transactions
    • Inspect DNS traffic for botnet DGA domain queries
  8. Next to each option, you’ll find a dropdown menu. Select the enforcement mode:
    • Log: DNS traffic is inspected and all findings are recorded in logs, but no blocking occurs. This mode is useful for monitoring or testing environments. You may view these logs on your Reports or Live Sessions Explorer pages.
    • Block: DNS traffic is inspected, and any malicious or suspicious activity is immediately blocked. This is the recommended option for maximum security.

The setting is applied instantly; no manual saving is required. Once selected, your enabled policy will begin enforcing the chosen mode immediately.

Last updated on by Zenarmor