Cisco Cisco Web Security Appliance S160 Guía Del Usuario
19-5
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 19 Configuring Security Services
Anti-Malware Scanning Overview
The Cisco IronPort DVS engine can use one or more scanning engines to determine malware risk.
Depending on the features purchased with the appliance, you can enable any of the following scanning
engines:
Depending on the features purchased with the appliance, you can enable any of the following scanning
engines:
•
Webroot. Webroot’s automated spyware detection system rapidly identifies existing and new
spyware threats on the Internet by intelligently scanning millions of sites on a daily basis. Webroot
uses a signature database to help detect threats on the Internet. For more information, see
spyware threats on the Internet by intelligently scanning millions of sites on a daily basis. Webroot
uses a signature database to help detect threats on the Internet. For more information, see
•
McAfee. The McAfee scanning engine can detect existing and new malware threats by using a
signature database of malware information and heuristic analysis. For more information, see
signature database of malware information and heuristic analysis. For more information, see
•
Sophos. The Sophos scanning engine detects existing and new malware threats using a signature
database. For more information, see
database. For more information, see
.
The scanning engines inspect transactions to determine a malware scanning verdict to pass to the DVS
engine. A malware scanning verdict is a value assigned to a URL request or server response that
determines the probability that it contains malware. The DVS engine determines whether to monitor or
block the request based on the malware scanning verdicts. For more information about malware scanning
verdicts, see
engine. A malware scanning verdict is a value assigned to a URL request or server response that
determines the probability that it contains malware. The DVS engine determines whether to monitor or
block the request based on the malware scanning verdicts. For more information about malware scanning
verdicts, see
.
Although you can enable all scanning engines globally, you can enable either the Sophos or McAfee
scanning engine (but not both simultaneously) to each Access or Outbound Malware Scanning Policy.
Similarly, you can also enable the Webroot scanning engine with either Sophos or McAfee to each
Access or Outbound Malware Scanning Policy. You might want to enable the Sophos scanning engine
instead of the McAfee scanning engine if the client machines have McAfee anti-malware software
installed.
scanning engine (but not both simultaneously) to each Access or Outbound Malware Scanning Policy.
Similarly, you can also enable the Webroot scanning engine with either Sophos or McAfee to each
Access or Outbound Malware Scanning Policy. You might want to enable the Sophos scanning engine
instead of the McAfee scanning engine if the client machines have McAfee anti-malware software
installed.
In some cases, the DVS engine might determine multiple verdicts for a single URL. For more
information about how the DVS handles multiple verdicts, see
information about how the DVS handles multiple verdicts, see
.
Understanding How the DVS Engine Works
The DVS engine performs anti-malware scanning on URL transactions that are forwarded from the Web
Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains
malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.
Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains
malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.
When the assigned web reputation score indicates to scan the transaction, the DVS engine receives the
URL request and server response content. The DVS engine, in combination with the Webroot and/or
Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses
information from the malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
URL request and server response content. The DVS engine, in combination with the Webroot and/or
Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses
information from the malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
When you enable both Webroot and Sophos or McAfee, the DVS engine determines how to scan the
content to optimize performance and efficacy.
content to optimize performance and efficacy.
Working with Multiple Malware Verdicts
In some cases, the DVS engine might determine multiple malware verdicts for a single URL. Multiple
verdicts can come from one or both enabled scanning engines:
verdicts can come from one or both enabled scanning engines:
•
Different verdicts from different scanning engines. When you enable both Webroot and either
Sophos or McAfee, each scanning engine might return different malware verdicts for the same
object.
Sophos or McAfee, each scanning engine might return different malware verdicts for the same
object.