Cisco Cisco Web Security Appliance S680 Guía Del Usuario
14-15
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
File Reputation and File Analysis Reporting and Tracking
Viewing File Reputation Filtering Data in Other Reports
Data for file reputation and analysis is available in other reports where relevant. A "Blocked by
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
The Report by User Location includes an Advanced Malware Protection tab.
About Web Tracking and Advanced Malware Protection Features
When searching for file threat information in Web Tracking, keep the following points in mind:
•
To search for malicious files found by the file reputation service, select Known Malicious and
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
High-Risk Files for the Filter by Malware Category option in the Malware Threat area in the
Advanced section in Web Tracking.
•
Web Tracking includes only information about file reputation processing and the original file
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
reputation verdicts returned at the time a transaction was processed. For example, if a file was
initially found to be clean, then a verdict update found the file to be malicious, only the clean verdict
appears in Tracking results.
“Block - AMP” in search results means the transaction was blocked because of the file's reputation
verdict.
verdict.
In Tracking details, the “AMP Threat Score” is the best-effort score that the cloud reputation service
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
provides when it cannot determine a clear verdict for the file. In this situation, the score is between
1 and 100. (Ignore the AMP Threat Score if an AMP Verdict is returned or if the score is zero.) The
appliance compares this score to the threshold score (configured on the Security Services >
Anti-Malware and Reputation page) to determine what action to take. By default, files with scores
between 60 and 100 are considered malicious. Cisco does not recommend changing the default
threshold score. The WBRS score is the reputation of the site from which the file was downloaded;
this score is not related to the file reputation.
•
Verdict updates are available only in the AMP Verdict Updates report. The original transaction
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file , click a SHA-256 in the verdict updates report.
details in Web Tracking are not updated with verdict changes. To see transactions involving a
particular file , click a SHA-256 in the verdict updates report.
Advanced Malware
Protection Verdict
Updates
Protection Verdict
Updates
Lists the files processed by this appliance for which the verdict has changed
since the transaction was processed. For information about this situation, see
since the transaction was processed. For information about this situation, see
To view more than 1000 verdict updates, export the data as a .csv file.
In the case of multiple verdict changes for a single SHA-256, this report
shows only the latest verdict, not the verdict history.
shows only the latest verdict, not the verdict history.
Clicking an SHA-256 link displays web tracking results for all transactions
that included this SHA-256 within the maximum available time range,
regardless of the time range selected for the report.
that included this SHA-256 within the maximum available time range,
regardless of the time range selected for the report.
To view all affected transactions for a particular SHA-256 within the
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.
Note
Report Description