Cisco Cisco Email Security Appliance X1070 User Guide
17-15
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 17 File Reputation Filtering and File Analysis
File Reputation and File Analysis Reporting and Tracking
Viewing File Reputation Filtering Data in Other Reports
Data for file reputation and analysis is available in other reports where relevant. A "Detected by
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
About Message Tracking and Advanced Malware Protection Features
When searching for file threat information in Message Tracking, keep the following points in mind:
•
To search for malicious files found by the file reputation service, select Advanced Malware
Protection Positive for the Message Event option in the Advanced section in Message Tracking.
Protection Positive for the Message Event option in the Advanced section in Message Tracking.
•
Message Tracking includes only information about file reputation processing and the original file
reputation verdicts returned at the time a message was processed. For example, if a file was initially
found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears
in Tracking results.
reputation verdicts returned at the time a message was processed. For example, if a file was initially
found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears
in Tracking results.
In Message Tracking details, the Processing Details section shows:
File Analysis
Displays the time and verdict (or interim verdict) for each file sent for
analysis.
analysis.
Files that are whitelisted on the Cisco AMP Threat Grid appliance show as
"clean." For information about whitelisting, see the AMP Threat Grid online
help.
"clean." For information about whitelisting, see the AMP Threat Grid online
help.
To view more than 1000 File Analysis results, export the data as a .csv file.
Drill down to view detailed analysis results, including the threat
characteristics for each file.
characteristics for each file.
You can also view additional details about an SHA directly on the AMP
Threat Grid appliance or cloud server that performed the analysis by
searching for the SHA or by clicking the Cisco AMP Threat Grid link at the
bottom of the file analysis details page.
Threat Grid appliance or cloud server that performed the analysis by
searching for the SHA or by clicking the Cisco AMP Threat Grid link at the
bottom of the file analysis details page.
Note
If extracted files from a compressed or an archive file are sent for file
analysis, only SHA values of these extracted files are included in the
File Analysis report.
analysis, only SHA values of these extracted files are included in the
File Analysis report.
AMP Verdict Updates
Lists the files processed by this appliance for which the verdict has changed
since the message was received. For information about this situation, see
since the message was received. For information about this situation, see
.
To view more than 1000 verdict updates, export the data as a .csv file.
In the case of multiple verdict changes for a single SHA-256, this report
shows only the latest verdict, not the verdict history.
shows only the latest verdict, not the verdict history.
To view all affected messages for a particular SHA-256 within the maximum
available time range (regardless of the time range selected for the report) click
a SHA-256 link.
available time range (regardless of the time range selected for the report) click
a SHA-256 link.
Report Description