Cisco Cisco Web Security Appliance S380 User Guide
16-2
Cisco AsyncOS 8.5 for Email User Guide
Chapter 16 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
File Processing Overview
First, the web site from which the file is downloaded is evaluated against the Web Based Reputation
Service (WBRS).
Service (WBRS).
If the web reputation score of the site is in the range configured to “Scan,” the appliance simultaneously
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
If Adaptive Scanning is also enabled, file reputation evaluation and file analysis are included in Adaptive
Scanning.
Scanning.
Communications between the appliance and the file reputation service are encrypted and protected from
tampering.
tampering.
After a file’s reputation is evaluated:
•
If the file is known to the file reputation service and is determined to be clean, the file is released to
the end user.
the end user.
•
If the file reputation service returns a verdict of malicious, then the appliance applies the action that
you have specified for such files.
you have specified for such files.
•
If the file is known to the reputation service but there is insufficient information for a definitive
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold (you need not change the default), the appliance applies the action that you have
configured in the access policy for malicious or high-risk files.
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold (you need not change the default), the appliance applies the action that you have
configured in the access policy for malicious or high-risk files.
•
If the reputation service has no information about the file, and the file does not meet the criteria for
analysis, the file is considered clean and the file is released to the end user.
analysis, the file is considered clean and the file is released to the end user.
•
If the reputation service has no information about the file, and the file meets the criteria for files that
can be analyzed (see
can be analyzed (see
), then the file is
considered clean and is sent for analysis.
•
If file reputation information is unavailable, for example because the connection with the cloud
service timed out, the file is considered clean and is released to the end user.
service timed out, the file is considered clean and is released to the end user.