Cisco Cisco Web Security Appliance S670 User Guide
14-12
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
File Reputation and File Analysis Reporting and Tracking
File Reputation and File Analysis Report Pages
Report Description
Advanced Malware
Protection
Protection
Shows file-based threats that were identified by the file reputation service.
To see the users who tried to access each SHA, and the filenames associated
with that SHA-256, click a SHA-256 in the table.
with that SHA-256, click a SHA-256 in the table.
Clicking the link at the bottom of Malware Threat File Details report page
displays all instances of the file in Web Tracking that were encountered
within the maximum available time range, regardless of the time range
selected for the report.
displays all instances of the file in Web Tracking that were encountered
within the maximum available time range, regardless of the time range
selected for the report.
For files with changed verdicts, see the AMP Verdict updates report. Those
verdicts are not reflected in the Advanced Malware Protection report.
verdicts are not reflected in the Advanced Malware Protection report.
Note
If one of the extracted files from a compressed or an archive file is
malicious, only SHA value of the compressed or archive file is
included in the Advanced Malware Protection report.
malicious, only SHA value of the compressed or archive file is
included in the Advanced Malware Protection report.
File Analysis
Displays the time and verdict (or interim verdict) for each file sent for
analysis.
analysis.
Files that are whitelisted on the Cisco AMP Threat Grid appliance show as
"clean." For information about whitelisting, see the AMP Threat Grid online
help.
"clean." For information about whitelisting, see the AMP Threat Grid online
help.
To view more than 1000 File Analysis results, export the data as a .csv file.
Drill down to view detailed analysis results, including the threat
characteristics and score for each file.
characteristics and score for each file.
You can also view additional details about an SHA directly on the AMP
Threat Grid appliance or cloud server that performed the analysis by
searching for the SHA or by clicking the Cisco AMP Threat Grid link at the
bottom of the file analysis details page.
Threat Grid appliance or cloud server that performed the analysis by
searching for the SHA or by clicking the Cisco AMP Threat Grid link at the
bottom of the file analysis details page.
Note
If extracted files from a compressed or an archive file are sent for file
analysis, only SHA values of these extracted files are included in the
File Analysis report.
analysis, only SHA values of these extracted files are included in the
File Analysis report.
AMP Verdict Updates
Lists the files processed by this appliance for which the verdict has changed
since the transaction was processed. For information about this situation, see
since the transaction was processed. For information about this situation, see
To view more than 1000 verdict updates, export the data as a .csv file.
In the case of multiple verdict changes for a single SHA-256, this report
shows only the latest verdict, not the verdict history.
shows only the latest verdict, not the verdict history.
Clicking an SHA-256 link displays web tracking results for all transactions
that included this SHA-256 within the maximum available time range,
regardless of the time range selected for the report.
that included this SHA-256 within the maximum available time range,
regardless of the time range selected for the report.
To view all affected transactions for a particular SHA-256 within the
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.