Cisco Cisco Email Security Appliance C160 Mode D'Emploi
17-14
Cisco AsyncOS 9.5 for Email User Guide
Chapter 17 File Reputation Filtering and File Analysis
Taking Action When File Threat Verdicts Change
Viewing File Reputation Filtering Data in Other Reports
Data for file reputation and analysis is available in other reports where relevant. A "Detected by
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
Advanced Malware Protection" column may be hidden by default in applicable reports. To display
additional columns, click the Columns link below the table.
About Message Tracking and Advanced Malware Protection Features
When searching for file threat information in Message Tracking, keep the following points in mind:
•
To search for malicious files found by the file reputation service, select Advanced Malware
Protection Positive for the Message Event option in the Advanced section in Message Tracking.
Protection Positive for the Message Event option in the Advanced section in Message Tracking.
•
Message Tracking includes only information about file reputation processing and the original file
reputation verdicts returned at the time a message was processed. For example, if a file was initially
found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears
in Tracking results.
reputation verdicts returned at the time a message was processed. For example, if a file was initially
found to be clean, then a verdict update found the file to be malicious, only the clean verdict appears
in Tracking results.
In Message Tracking details, the Processing Details section shows:
–
The SHA-256 of each attachment in the message, and
–
The final Advanced Malware Protection verdict for the message as a whole, and
–
Any attachments which were found to contain malware.
No information is provided for clean or unscannable attachments.
•
Verdict updates are available only in the AMP Verdict Updates report. The original message details
in Message Tracking are not updated with verdict changes. To see messages that have a particular
attachment, click a SHA-256 in the verdict updates report.
in Message Tracking are not updated with verdict changes. To see messages that have a particular
attachment, click a SHA-256 in the verdict updates report.
•
Information about File Analysis, including analysis results and whether or not a file was sent for
analysis, are available only in the File Analysis report.
analysis, are available only in the File Analysis report.
Additional information about an analyzed file may be available from the cloud. To view any
available File Analysis information for a file, select Monitor > File Analysis and enter the SHA-256
to search for the file. If the File Analysis service has analyzed the file from any source, you can see
the details. Results are displayed only for files that have been analyzed.
available File Analysis information for a file, select Monitor > File Analysis and enter the SHA-256
to search for the file. If the File Analysis service has analyzed the file from any source, you can see
the details. Results are displayed only for files that have been analyzed.
If the appliance processed a subsequent instance of a file that was sent for analysis, those instances
will appear in Message Tracking search results.
will appear in Message Tracking search results.
Taking Action When File Threat Verdicts Change
Procedure
Step 1
View the AMP Verdict Updates report.
Step 2
Click the relevant SHA-256 link to view message tracking data for all messages that contained that file
that may have been delivered to end users.
that may have been delivered to end users.
Step 3
Using the tracking data, identify the users that may have been compromised, as well as information such
as the file names involved in the breach and sender of the file.
as the file names involved in the breach and sender of the file.