Cisco Cisco Web Security Appliance S160 Guía Del Usuario
14-16
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
Taking Action When File Threat Verdicts Change
•
Information about File Analysis, including analysis results and whether or not a file was sent for
analysis, are available only in the File Analysis report.
analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud or on-premises File
Analysis server. To view any available File Analysis information for a file, select Reporting > File
Analysis and enter the SHA-256 to search for the file, or click the SHA-256 link in Web Tracking
details. If the File Analysis service has analyzed the file from any source, you can see the details.
Results are displayed only for files that have been analyzed.
Analysis server. To view any available File Analysis information for a file, select Reporting > File
Analysis and enter the SHA-256 to search for the file, or click the SHA-256 link in Web Tracking
details. If the File Analysis service has analyzed the file from any source, you can see the details.
Results are displayed only for files that have been analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances
will appear in Web Tracking search results.
will appear in Web Tracking search results.
Taking Action When File Threat Verdicts Change
Step 1
View the AMP Verdict Updates report.
Step 2
Click the relevant SHA-256 link to view web tracking data for all transactions involving that file that
end users were allowed to access.
end users were allowed to access.
Step 3
Using the tracking data, identify the users that may have been compromised, as well as information such
as the file names involved in the breach and the web site from which the file was downloaded.
as the file names involved in the breach and the web site from which the file was downloaded.
Step 4
Check the File Analysis report to see if this SHA-256 was sent for analysis, to understand the threat
behavior of the file in more detail.
behavior of the file in more detail.
Related Topics
•
Troubleshooting File Reputation and Analysis
•
•
•
•
•
•
Log Files
In logs:
•
AMP
and
amp
refer to the file reputation service or engine.
•
Retrospective
refers to verdict updates.
•
VRT
and
sandboxing
refer to the file analysis service.
Information about Advanced Malware Protection including File Analysis is logged in Access Logs or in
AMP Engine Logs. For more information, see the chapter on monitoring system activity through logs.
AMP Engine Logs. For more information, see the chapter on monitoring system activity through logs.