Cisco Cisco Web Security Appliance S670 User Guide
14-13
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
Taking Action When File Threat Verdicts Change
•
Information about File Analysis, including analysis results and whether or not a file was sent for
analysis, are available only in the File Analysis report.
analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud. To view any
available File Analysis information for a file, select Reporting > File Analysis and enter the
SHA-256 to search for the file, or click the SHA-256 link in Web Tracking details. If the File
Analysis service has analyzed the file from any source, you can see the details. Results are displayed
only for files that have been analyzed.
available File Analysis information for a file, select Reporting > File Analysis and enter the
SHA-256 to search for the file, or click the SHA-256 link in Web Tracking details. If the File
Analysis service has analyzed the file from any source, you can see the details. Results are displayed
only for files that have been analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances
will appear in Web Tracking search results.
will appear in Web Tracking search results.
Taking Action When File Threat Verdicts Change
Procedure
Step 1
View the AMP Verdict Updates report.
Step 2
Click the relevant SHA-256 link to view web tracking data for all transactions involving that file that
end users were allowed to access.
end users were allowed to access.
Step 3
Using the tracking data, identify the users that may have been compromised, as well as information such
as the file names involved in the breach and the web site from which the file was downloaded.
as the file names involved in the breach and the web site from which the file was downloaded.
Step 4
Check the File Analysis report to see if this SHA-256 was sent for analysis, to understand the threat
behavior of the file in more detail.
behavior of the file in more detail.
Related Topics
•
Troubleshooting File Reputation and Analysis
•
•
•
•
•
•
Log Files
In logs:
•
AMP
and
amp
refer to the file reputation service or engine.
•
Retrospective
refers to verdict updates.
•
VRT
and
sandboxing
refer to the file analysis service.