Configuring Foresight in Halo
Once Foresight is deployed, you control how it behaves through your content management policy. Each policy decides whether Foresight runs and what happens to files it predicts to be malicious. This page covers enabling Foresight on a policy, blocking malicious files and reading the results.
Prerequisites
- Foresight is enabled on the engine (
foresight.enabled). - Your Halo license includes the Foresight entitlement. Without it, the threat prediction settings show a Requires upgrade state and Foresight does not run.
Enabling Foresight on a policy
Foresight is configured per content management policy and is disabled by default, even when it is enabled on the engine.
In the Portal, open the Protection settings of a policy and find the AI Powered Threat prediction section:
- Enable malware threat prediction—Foresight assesses the original file and returns a threat prediction.
- Disable malware threat prediction—files are not analyzed by Foresight. Standard Glasswall CDR protection remains active and processing times are unaffected.
Enabling Foresight may increase processing times, and only PDF, DOCX and XLSX files are assessed.
The equivalent setting in the policy JSON is foresightSettings.enabled:
"foresightSettings": {
"enabled": true,
"blockMaliciousFiles": true
}
Blocking malicious files
When Foresight is enabled, you choose what happens to files predicted to be Malicious using the Block malicious files setting (foresightSettings.blockMaliciousFiles, enabled by default):
- Block malicious files—files flagged as malicious are still processed, but the processed file is blocked and not delivered. The threat analysis remains available.
- Allow malicious files to be processed—files flagged as malicious are processed and a clean file is still delivered. Any malware is removed during CDR processing.
In both cases the file is processed and its Foresight result is recorded; the setting only controls whether the processed file is delivered.
How Foresight works with your CDR policy
Foresight assesses the original file and runs alongside your CDR policy rather than replacing it—files are still sanitized and rebuilt as normal. The Foresight prediction is additional information about the original file, and blocking on malicious simply withholds delivery of the processed file:
- Even when a file is blocked, it is still processed and its threat analysis can be accessed.
- Because the rebuilt file is sanitized, any malware has been removed—but the content of a file predicted to be malicious may have been fabricated, so verify it before acting on it.
Reading Foresight results
Single files (Sync and Async API)
For a single file, the APIs return the prediction in a response header:
| Header | Values |
|---|---|
X-Foresight-Threat-Prediction | No threats detected, Suspicious, Malicious, Unavailable, Disabled, Licence invalid |
Archives and analysis reports
For archives and analysis reports, the prediction is included per file in the report's manifest.cdr-json under a foresight object:
"foresight": {
"status": "Malicious",
"blocked": true
}
blocked is true when the processed file was withheld because it was predicted to be malicious and the policy blocks malicious files.
A file predicted to be Malicious is also blocked when the policy allows risky content to remain, even if Allow malicious files to be processed is selected. Because content was allowed rather than removed during CDR, the rebuilt file cannot be guaranteed safe, so Halo withholds it.
Portal
In the Portal, the file analysis page shows an AI-powered threat prediction section against the original file, with the prediction and guidance on handling the file.
Status values
| Status | Meaning |
|---|---|
| No threats detected | No malware was predicted in the original file. |
| Suspicious | Some indicators of malware were found; treat the file with caution. |
| Malicious | The original file is predicted to be malicious. It can be blocked by policy. |
| Unavailable | Foresight ran but could not return a prediction—for example, the file is irregular, too small or too complex—or Foresight was temporarily unavailable. |
| Disabled | Foresight is turned off for the policy used. |
| Licence invalid | The deployment is not licensed for Foresight. |