Cisco Cisco Web Security Appliance S390 ユーザーガイド
W O R K I N G W I T H M U L T I P L E M A L W A R E V E R D I C T S
C H A P T E R 1 5 : A N T I - M A L W A R E S E R V I C E S
323
When the assigned web reputation score indicates to scan the transaction, the DVS engine
receives the URL request and server response content. The DVS engine, in combination with
the Webroot and/or McAfee scanning engines, returns a malware scanning verdict. The DVS
engine uses information from the malware scanning verdicts and Access Policy settings to
determine whether to block or deliver the content to the client.
receives the URL request and server response content. The DVS engine, in combination with
the Webroot and/or McAfee scanning engines, returns a malware scanning verdict. The DVS
engine uses information from the malware scanning verdicts and Access Policy settings to
determine whether to block or deliver the content to the client.
When you enable both Webroot and McAfee, the DVS engine determines how to scan the
content to optimize performance and efficacy.
content to optimize performance and efficacy.
Working with Multiple Malware Verdicts
In some cases, the DVS engine might determine multiple malware verdicts for a single URL.
Multiple verdicts can come from one or both scanning engines:
Multiple verdicts can come from one or both scanning engines:
• Different verdicts from different scanning engines. When you enable both Webroot and
McAfee, each scanning engine might return different malware verdicts for the same
object.
object.
• Different verdicts from the same scanning engine. A scanning engine might return
multiple verdicts for a single object when the object contains multiple infections. For
example, a zip file might contain multiple files, each infected with a different kind of
malware.
example, a zip file might contain multiple files, each infected with a different kind of
malware.
When a URL causes multiple verdicts, the appliance takes different action depending on
whether one or both scanning engines return the multiple malware verdicts.
whether one or both scanning engines return the multiple malware verdicts.
Different Scanning Engines
When a URL causes multiple verdicts from both scanning engines, the appliance performs the
most restrictive action. For example, if one scanning engine returns a block verdict and the
other a monitor verdict, the DVS engine always blocks the request. Only the most restrictive
verdict is logged and reported.
most restrictive action. For example, if one scanning engine returns a block verdict and the
other a monitor verdict, the DVS engine always blocks the request. Only the most restrictive
verdict is logged and reported.
Same Scanning Engine
When a URL causes multiple verdicts from the same scanning engine, the appliance takes
action according to the verdict with the highest priority. Only the highest verdict is logged and
reported. The following text lists the possible malware scanning verdicts from the highest to
the lowest priority.
action according to the verdict with the highest priority. Only the highest verdict is logged and
reported. The following text lists the possible malware scanning verdicts from the highest to
the lowest priority.
• Virus
• Trojan Downloader
• Trojan Horse
• Trojan Phisher
• Hijacker
• System monitor
• Commercial System Monitor