Cisco Cisco Web Security Appliance S170 Guía Del Usuario
Chapter 19 Anti-Malware Services
IronPort DVS™ (Dynamic Vectoring and Streaming) Engine
19-6
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
returns a malware scanning verdict. The DVS engine uses information from the
malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
When you enable both Webroot and Sophos or McAfee, the DVS engine
determines how to scan the content to optimize performance and efficacy.
determines how to scan the content to optimize performance and efficacy.
Working with Multiple Malware Verdicts
In some cases, the DVS engine might determine multiple malware verdicts for a
single URL. Multiple verdicts can come from one or both enabled scanning
engines:
single URL. Multiple verdicts can come from one or both enabled scanning
engines:
•
Different verdicts from different scanning engines. When you enable both
Webroot and either Sophos or McAfee, each scanning engine might return
different malware verdicts for the same object.
Webroot and either Sophos or McAfee, each scanning engine might return
different malware verdicts for the same object.
•
Different verdicts from the same scanning engine. A scanning engine
might return multiple verdicts for a single object when the object contains
multiple infections. For example, a zip file might contain multiple files, each
infected with a different kind of malware.
might return multiple verdicts for a single object when the object contains
multiple infections. For example, a zip file might contain multiple files, each
infected with a different kind of malware.
When a URL causes multiple verdicts, the appliance takes different action
depending on whether one or both enabled scanning engines return the multiple
malware verdicts.
depending on whether one or both enabled scanning engines return the multiple
malware verdicts.
Different Scanning Engines
When a URL causes multiple verdicts from both enabled scanning engines, the
appliance performs the most restrictive action. For example, if one scanning
engine returns a block verdict and the other a monitor verdict, the DVS engine
always blocks the request. Only the most restrictive verdict is logged and
reported.
appliance performs the most restrictive action. For example, if one scanning
engine returns a block verdict and the other a monitor verdict, the DVS engine
always blocks the request. Only the most restrictive verdict is logged and
reported.
Same Scanning Engine
When a URL causes multiple verdicts from the same scanning engine, the
appliance takes action according to the verdict with the highest priority. Only the
highest verdict is logged and reported. The following text lists the possible
malware scanning verdicts from the highest to the lowest priority.
appliance takes action according to the verdict with the highest priority. Only the
highest verdict is logged and reported. The following text lists the possible
malware scanning verdicts from the highest to the lowest priority.