Cisco Cisco Web Security Appliance S170 Guía Del Usuario
Chapter 24 Logging
Access Log File
24-36
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Anti-Malware Request Example
In the following example, the Webroot scanning engine scanned the URL request
and assigned a malware scanning verdict based on the URL request. Webroot is
the only scanning engine that scans a URL request. For more information about
Webroot scanning, see
and assigned a malware scanning verdict based on the URL request. Webroot is
the only scanning engine that scans a URL request. For more information about
Webroot scanning, see
1278106367.381 170 172.xx.xx.xx TCP_DENIED/403 1828 GET
http://www.gator.com/ - NONE/- -
BLOCK_AMW_RESP_URL_11-AccessPolicy-Identity-OMSPolicy-NONE-NONE-NONE
<IW_busi,3.4,"Adware","GAIN - Common
Components",95,37607,10,"-","-",-,-,-,"-","-","-","-","-",-,-,IW_busi
,-,"Adware","-","Unknown","Unknown","-","-",86.02,0,-,"-","-">
In this example, “3.4” is the Web Reputation score, indicating to scan the website
for malware. Therefore, the Web Proxy passed the request to the DVS engine for
anti-malware scanning.
for malware. Therefore, the Web Proxy passed the request to the DVS engine for
anti-malware scanning.
The “Adware” value is the malware scanning verdict that Webroot passed to the
DVS engine. The “BLOCK_AMW_RESP_URL” ACL decision tag shows that
Webroot’s request-side checking of the URL produced this verdict. The remainder
of the fields show the malware name (“GAIN - Common Components”), threat
risk rating (“95”), threat ID (“37607”), and trace ID (“10”) values, which Webroot
derived from its evaluation. All of the McAfee and Sophos-related values are
empty (“-”) because neither the McAfee or Sophos scanning engine scanned the
URL request.
DVS engine. The “BLOCK_AMW_RESP_URL” ACL decision tag shows that
Webroot’s request-side checking of the URL produced this verdict. The remainder
of the fields show the malware name (“GAIN - Common Components”), threat
risk rating (“95”), threat ID (“37607”), and trace ID (“10”) values, which Webroot
derived from its evaluation. All of the McAfee and Sophos-related values are
empty (“-”) because neither the McAfee or Sophos scanning engine scanned the
URL request.
Anti-Malware Response Example
In the following example, the McAfee scanning engine scanned the server
response, assigned a malware scanning verdict based on the server response, and
blocked it from the user.
response, assigned a malware scanning verdict based on the server response, and
blocked it from the user.
1278097193.276 51 172.xx.xx.xx TCP_DENIED/403 3122 GET
http://badsite.com/malware.exe - DIRECT/badsite.com
application/x-dosexec
BLOCK_AMW_RESP_11-AccessPol-Identity-NONE-NONE-NONE-DefaultGroup
<IW_infr,3.0,"Trojan Phisher","Trojan-Phisher-Gamec",0,354385,12559,
"-","-",-,-,-,"-","-","-","-","-",-,-,IW_infr,-,"Trojan
Phisher","-","Unknown","Unknown","-","-",489.73,0,[Local],"-","-"> -