Cisco Cisco Web Security Appliance S380 User Guide
13-9
Cisco AsyncOS 8.0.6 for Web User Guide
Chapter 13 File Reputation Filtering and File Analysis
Taking Action When File Threat Verdicts Change
About Web Tracking and Advanced Malware Protection Features
When searching for file threat information in Web Tracking, keep the following points in mind:
•
To search for malicious files found by the file reputation service, select Known Malicious and
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
•
Web Tracking includes only information about file reputation processing and the original file
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
"Block - AMP" in search results means the transaction was blocked because of the file's reputation
verdict.
verdict.
In Tracking details, the "AMP Threat Score" is the best-effort score that the cloud reputation service
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
•
Verdict updates are available only in the AMP Verdict Updates report. The original transaction
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file , click a SHA-256 in the verdict updates report.
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file , click a SHA-256 in the verdict updates report.
•
Information about File Analysis, including analysis results and whether or not a file was sent for
analysis, are available only in the File Analysis report.
analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud. To view any
available File Analysis information for a file, select Reporting > File Analysis and enter the
SHA-256 to search for the file, or click the SHA-256 link in Web Tracking details. If the File
Analysis service has analyzed the file from any source, you can see the details. Results are displayed
only for files that have been analyzed.
available File Analysis information for a file, select Reporting > File Analysis and enter the
SHA-256 to search for the file, or click the SHA-256 link in Web Tracking details. If the File
Analysis service has analyzed the file from any source, you can see the details. Results are displayed
only for files that have been analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances
will appear in Web Tracking search results.
will appear in Web Tracking search results.
Taking Action When File Threat Verdicts Change
Procedure
Step 1
View the AMP Verdict Updates report.
Step 2
Click the relevant SHA-256 link to view web tracking data for all transactions involving that file that
end users were allowed to access.
end users were allowed to access.
Step 3
Using the tracking data, identify the users that may have been compromised, as well as information such
as the file names involved in the breach and the web site from which the file was downloaded.
as the file names involved in the breach and the web site from which the file was downloaded.
Step 4
Check the File Analysis report to see if this SHA-256 was sent for analysis, to understand the threat
behavior of the file in more detail.
behavior of the file in more detail.