Cisco Cisco Email Security Appliance C160 Mode D'Emploi
17-2
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 17 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
Verdicts can also change from malicious to clean.
When the appliance processes subsequent instances of the same file, the updated verdict is
immediately applied.
immediately applied.
Information about the timing of verdict updates is included in the file-criteria document referenced in
.
Related Topics
•
•
File Processing Overview
Evaluation of file reputation and sending of files for analysis occur immediately after anti-virus
scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on
the message.
scanning, regardless of verdicts from previous scanning engines, unless a final action has been taken on
the message.
Note
If a message has malformed headers, the appliance will attempt to extract the attachments from the
message. If the extracted messages are found to be malicious, the file reputation verdict is set to
“malicious.” If the appliance is unable to extract the attachments, the file reputation verdict is set to
“unscannable.”
message. If the extracted messages are found to be malicious, the file reputation verdict is set to
“malicious.” If the appliance is unable to extract the attachments, the file reputation verdict is set to
“unscannable.”
Communications between the appliance and the file reputation service are encrypted and protected
from tampering.
from tampering.
After a file’s reputation is evaluated:
•
The file reputation verdict for a message without any attachments is set to “skipped.”
•
If the file is known to the file reputation service and is determined to be clean, the message continues
through the workqueue.
through the workqueue.
•
If the file reputation service returns a verdict of malicious for any attachment in the message, then
the appliance applies the action that you have specified in the applicable mail policy.
the appliance applies the action that you have specified in the applicable mail policy.
•
If the file is known to the reputation service but there is insufficient information for a definitive
verdict, the reputation service returns a reputation score based on characteristics of the file such as
threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the mail policy for files that
contain malware.
verdict, the reputation service returns a reputation score based on characteristics of the file such as
threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the mail policy for files that
contain malware.
•
If the reputation service has no information about the file, and the file does not meet the criteria for
analysis (see
analysis (see
), the file is
considered clean and the message continues through the workqueue.
•
If you have enabled the File Analysis service, and the reputation service has no information about
the file, and the file meets the criteria for files that can be analyzed (see
the file, and the file meets the criteria for files that can be analyzed (see
), then the message can be quarantined (see
) and the file sent for
analysis. If you have not configured the appliance to quarantine messages when attachments are sent
for analysis, or the file is not sent for analysis, then the message is released to the user.
for analysis, or the file is not sent for analysis, then the message is released to the user.