Cisco Cisco Email Security Appliance C170 Betriebsanweisung
17-2
Cisco AsyncOS 9.5 for Email User Guide
Chapter 17 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
File Processing Overview
Evaluation of file reputation and sending of files for analysis occur immediately after anti-virus
scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on
the message.
scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on
the message.
Communications between the appliance and the file reputation service are encrypted and protected from
tampering.
tampering.
After a file’s reputation is evaluated:
•
If the file is known to the file reputation service and is determined to be clean, the message continues
through the workqueue.
through the workqueue.
•
If the file reputation service returns a verdict of malicious for any attachment in the message, then
the appliance applies the action that you have specified in the applicable mail policy.
the appliance applies the action that you have specified in the applicable mail policy.
•
If the file is known to the reputation service but there is insufficient information for a definitive
verdict, the reputation service returns a reputation score based on characteristics of the file such as
threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the mail policy for files that
contain malware.
verdict, the reputation service returns a reputation score based on characteristics of the file such as
threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the mail policy for files that
contain malware.
•
If the reputation service has no information about the file, and the file does not meet the criteria for
analysis (see
analysis (see
), the file is considered clean and
the message continues through the workqueue.
For deployments with on-premises file analysis, the appliance also checks to see if the file is known
to the on-premises server.
to the on-premises server.
•
If you have enabled the cloud-based File Analysis service, and the reputation service has no
information about the file, and the file meets the criteria for files that can be analyzed (see
information about the file, and the file meets the criteria for files that can be analyzed (see
), then the file is considered clean and is optionally
sent for analysis.
•
For deployments with on-premises file analysis, the reputation evaluation and file analysis occur
simultaneously. If the reputation service returns a verdict, that verdict is used, as the reputation
service includes inputs from a wider range of sources. If the reputation service cannot issue a
verdict, the file analysis verdict is used.
simultaneously. If the reputation service returns a verdict, that verdict is used, as the reputation
service includes inputs from a wider range of sources. If the reputation service cannot issue a
verdict, the file analysis verdict is used.
•
You can configure the appliance to quarantine files sent for analysis instead of releasing them
immediately to the workqueue. See
immediately to the workqueue. See
.
•
If file reputation or file analysis verdict information is unavailable because the connection with the
service timed out,the file is considered clean and is released to the end user. If the verdict is
unscannable for any other reason, the appliance applies the action that you have specified for
unscannable attachments in the applicable mail policy.
service timed out,the file is considered clean and is released to the end user. If the verdict is
unscannable for any other reason, the appliance applies the action that you have specified for
unscannable attachments in the applicable mail policy.