Cisco Cisco Web Security Appliance S690 User Guide
19-6
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 19 Configuring Security Services
Anti-Malware Scanning Overview
•
Different verdicts from the same scanning engine. A scanning engine might return multiple
verdicts for a single object when the object contains multiple infections. For example, a zip file
might contain multiple files, each infected with a different kind of malware.
verdicts for a single object when the object contains multiple infections. For example, a zip file
might contain multiple files, each infected with a different kind of malware.
When a URL causes multiple verdicts, the appliance takes different action depending on whether one or
both enabled scanning engines return the multiple malware verdicts.
both enabled scanning engines return the multiple malware verdicts.
Different Scanning Engines
When a URL causes multiple verdicts from both enabled scanning engines, the appliance performs the
most restrictive action. For example, if one scanning engine returns a block verdict and the other a
monitor verdict, the DVS engine always blocks the request. Only the most restrictive verdict is logged
and reported.
most restrictive action. For example, if one scanning engine returns a block verdict and the other a
monitor verdict, the DVS engine always blocks the request. Only the most restrictive verdict is logged
and reported.
Same Scanning Engine
When a URL causes multiple verdicts from the same scanning engine, the appliance takes action
according to the verdict with the highest priority. Only the highest verdict is logged and reported. The
following text lists the possible malware scanning verdicts from the highest to the lowest priority.
according to the verdict with the highest priority. Only the highest verdict is logged and reported. The
following text lists the possible malware scanning verdicts from the highest to the lowest priority.
•
Virus
•
Trojan Downloader
•
Trojan Horse
•
Trojan Phisher
•
Hijacker
•
System monitor
•
Commercial System Monitor
•
Dialer
•
Worm
•
Browser Helper Object
•
Phishing URL
•
Adware
•
Encrypted file
•
Unscannable
•
Other Malware
Suppose the McAfee scanning engine detects both adware and a virus in the scanned object, and that the
appliance is configured to block adware and monitor viruses. According to the list above, viruses belong
in a higher priority verdict category than adware. Therefore, the appliance monitors the object and
reports the verdict as virus in the reports and logs. It does not block the object even though it is
configured to block adware.
appliance is configured to block adware and monitor viruses. According to the list above, viruses belong
in a higher priority verdict category than adware. Therefore, the appliance monitors the object and
reports the verdict as virus in the reports and logs. It does not block the object even though it is
configured to block adware.
Webroot Scanning
The Webroot scanning engine inspects objects to determine the malware scanning verdict to send to the
DVS engine. The Webroot scanning engine inspects the following objects:
DVS engine. The Webroot scanning engine inspects the following objects: