Cisco Cisco Web Security Appliance S680 Guía Del Usuario
446
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
The “10” value is the malware scanning verdict that Webroot passes to the DVS engine. (“10”
corresponds to generic spyware, as explained in Table 20-13 on page 460.) The
“BLOCK_AMW_REQ” ACL decision tag shows that Webroot’s request-side checking of the
URL produced this verdict. The remainder of the fields show the spyware name (“Malware”),
threat risk rating (“100”), threat ID (“-”), and trace ID (“-”) values, which Webroot derived
from its evaluation. In this case, the threat ID and trace ID values are empty (“
corresponds to generic spyware, as explained in Table 20-13 on page 460.) The
“BLOCK_AMW_REQ” ACL decision tag shows that Webroot’s request-side checking of the
URL produced this verdict. The remainder of the fields show the spyware name (“Malware”),
threat risk rating (“100”), threat ID (“-”), and trace ID (“-”) values, which Webroot derived
from its evaluation. In this case, the threat ID and trace ID values are empty (“
-
”) because
Webroot did not actually scan a response. All of the McAfee-related values are empty (“-”)
because the McAfee scanning engine did not scan the URL request.
because the McAfee scanning engine did not scan the URL request.
Anti-Malware Response Example
In the following example, the McAfee scanning engine scanned the server response, assigned
a malware scanning verdict based on the server response, and blocked it from the user.
a malware scanning verdict based on the server response, and blocked it from the user.
The following list explains the values in this access log entry that show that this transaction
was blocked based on the result of the McAfee scanning engine:
was blocked based on the result of the McAfee scanning engine:
• TCP_DENIED. The website was denied due to Access Policies.
• BLOCK_AMW_RESP-MyAccessPolicy. This transaction matched the “MyAccessPolicy”
Access Policy group, and the due to the settings defined in that policy group, the server
response was blocked due to detected malware.
response was blocked due to detected malware.
• 3.0 in the angled brackets. The URL received a Web Reputation Score of 3.0, which fell in
the score range to scan further.
• 27 in the angled brackets. The malware scanning verdict McAfee passed to the DVS
engine. 27 corresponds to a virus.
• “EICAR test file”. The name of the virus that McAfee scanned.
1186606394.787 198 172.xx.xx.xx TCP_DENIED/403 1843 GET http://
www.eicar.org/download/eicar.com HTTP/1.1 - NONE/- text/plain
BLOCK_AMW_RESP-MyAccessPolicy-MyIdentity-NONE-NONE-DefaultRouting
<Comp,3.0,0,-,-,-,-,27,-,0,1,6,”EICAR test file”,0,0,Comp,->
www.eicar.org/download/eicar.com HTTP/1.1 - NONE/- text/plain
BLOCK_AMW_RESP-MyAccessPolicy-MyIdentity-NONE-NONE-DefaultRouting
<Comp,3.0,0,-,-,-,-,27,-,0,1,6,”EICAR test file”,0,0,Comp,->