Cisco Cisco Web Security Appliance S670 User Guide
20-21
AsyncOS 8.5 for Cisco Web Security Appliances User Guide
Chapter 20 Monitor System Activity Through Logs
Interpreting Access Log Scanning Verdict Entries
The following text is the scanning verdict information from an access log file entry. In this example, the
Webroot scanning engine found the malware:
Webroot scanning engine found the malware:
Note
For an example of a whole access log file entry, see
Each item of information in this example corresponds to a log file format specifier as shown in the
following table:
following table:
<IW_infr,ns,24,"Trojan-Phisher-Gamec",0,354385,12559,-,"-",-,-,-,"-",-,-,"-","-",-,-,
IW_infr,-,"Trojan Phisher","-","Unknown","Unknown","-","-",489.73,0,-,[Local],"-"
,37,"W32.CiscoTestVector",33,0,"WSA-INFECTED-FILE.pdf","fd5ef49d4213e05f448f11ed9c98253d
85829614fba368a421d14e64c426da5e”>
Position
Field Value
Format Specifier Description
1
IW_infr
%XC
The URL category assigned to the transaction, abbreviated. This
field shows “nc” when no category is assigned.
field shows “nc” when no category is assigned.
For a list of URL category abbreviations, see
.
2
ns
%XW
Web Reputation filters score. This field either shows the score as a
number, “ns” for “no score,” or “dns” when there is a DNS lookup
error.
number, “ns” for “no score,” or “dns” when there is a DNS lookup
error.
3
24
%Xv
The malware scanning verdict Webroot passed to the DVS engine.
Applies to responses detected by Webroot only.
For more information, see
4
“Trojan-Phisher-Gamec”
“%Xn”
Name of the spyware that is associated with the object.
Applies to responses detected by Webroot only.
5
0
%Xt
The Webroot specific value associated with the Threat Risk Ratio
(TRR) value that determines the probability that malware exists.
(TRR) value that determines the probability that malware exists.
Applies to responses detected by Webroot only.
6
354385
%Xs
A value that Webroot uses as a threat identifier. Cisco IronPort
Customer Support may use this value when troubleshooting an
issue.
Customer Support may use this value when troubleshooting an
issue.
Applies to responses detected by Webroot only.
7
12559
%Xi
A value that Webroot uses as a trace identifier. Cisco IronPort
Customer Support may use this value when troubleshooting an
issue.
Customer Support may use this value when troubleshooting an
issue.
Applies to responses detected by Webroot only.
8
-
%Xd
The malware scanning verdict McAfee passed to the DVS engine.
Applies to responses detected by McAfee only.
For more information, see
9
“-”
“%Xe”
The name of the file McAfee scanned.
Applies to responses detected by McAfee only.