Cisco Cisco Web Security Appliance S160 Guía Del Usuario
12-13
Cisco AsyncOS 8.0.6 for Web User Guide
Chapter 12 Configuring Security Services
Maintaining the Database Tables
Note
Only negative and zero values can be configured for web reputation threshold settings for Cisco IronPort
Data Security Policies. By definition, all positive scores are monitored
Data Security Policies. By definition, all positive scores are monitored
Maintaining the Database Tables
The web reputation, Webroot, Sophos, and McAfee databases periodically receive updates from the
Cisco IronPort update server (
Cisco IronPort update server (
https://update-manifests.ironport.com
). Server updates are
automated and the update interval is set by the server.
The Web Reputation Database
The Web Security appliance maintains a filtering database that contains statistics and information about
how different types of requests are handled. The appliance can also be configured to send web reputation
statistics to a Cisco SensorBase Network server. SensorBase server information is leveraged with data
feeds from the SensorBase Network and the information is used to produce a Web Reputation Score.
how different types of requests are handled. The appliance can also be configured to send web reputation
statistics to a Cisco SensorBase Network server. SensorBase server information is leveraged with data
feeds from the SensorBase Network and the information is used to produce a Web Reputation Score.
Logging
The access log file records the information returned by the Web Reputation Filters and the DVS engine
for each transaction. The scanning verdict information section in the access logs includes many fields to
help understand the cause for the action applied to a transaction. For example, some fields display the
web reputation score or the malware scanning verdict Sophos passed to the DVS engine.
for each transaction. The scanning verdict information section in the access logs includes many fields to
help understand the cause for the action applied to a transaction. For example, some fields display the
web reputation score or the malware scanning verdict Sophos passed to the DVS engine.
Logging Adaptive Scanning
Transactions blocked and monitored by the adaptive scanning engine use the ACL decision tags:
•
BLOCK_AMW_RESP
•
MONITOR_AMW_RESP
Custom Field
in Access Logs
in Access Logs
Custom Field in
W3C Logs
W3C Logs
Description
%X6
x-as-malware-thr
eat-name
eat-name
The anti-malware name returned by Adaptive Scanning. If the
transaction is not blocked, this field returns a hyphen (“-”). This
variable is included in the scanning verdict information (in the
angled brackets at the end of each access log entry).
transaction is not blocked, this field returns a hyphen (“-”). This
variable is included in the scanning verdict information (in the
angled brackets at the end of each access log entry).