Cisco Cisco Email Security Appliance C160 Guía Del Usuario
17-16
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 17 File Reputation Filtering and File Analysis
Taking Action When File Threat Verdicts Change
–
The SHA-256 of each attachment in the message, and
–
The final Advanced Malware Protection verdict for the message as a whole, and
–
Any attachments which were found to contain malware.
No information is provided for clean or unscannable attachments.
•
Verdict updates are available only in the AMP Verdict Updates report. The original message details
in Message Tracking are not updated with verdict changes. To see messages that have a particular
attachment, click a SHA-256 in the verdict updates report.
in Message Tracking are not updated with verdict changes. To see messages that have a particular
attachment, click a SHA-256 in the verdict updates report.
•
Information about File Analysis, including analysis results and whether or not a file was sent for
analysis, are available only in the File Analysis report.
analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud or on-premises File
Analysis server. To view any available File Analysis information for a file, select Monitor > File
Analysis and enter the SHA-256 to search for the file. If the File Analysis service has analyzed the
file from any source, you can see the details. Results are displayed only for files that have been
analyzed.
Analysis server. To view any available File Analysis information for a file, select Monitor > File
Analysis and enter the SHA-256 to search for the file. If the File Analysis service has analyzed the
file from any source, you can see the details. Results are displayed only for files that have been
analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances
will appear in Message Tracking search results.
will appear in Message Tracking search results.
Taking Action When File Threat Verdicts Change
Step 1
View the AMP Verdict Updates report.
Step 2
Click the relevant SHA-256 link to view message tracking data for all messages that contained that file
that may have been delivered to end users.
that may have been delivered to end users.
Step 3
Using the tracking data, identify the users that may have been compromised, as well as information such
as the file names involved in the breach and sender of the file.
as the file names involved in the breach and sender of the file.
Step 4
Check the File Analysis report to see if this SHA-256 was sent for analysis, to understand the threat
behavior of the file in more detail.
behavior of the file in more detail.
Related Topics
•
Troubleshooting File Reputation and Analysis
•
•
•
•
•
•