Cisco Cisco Web Security Appliance S390 ユーザーガイド
14-2
AsyncOS 9.0 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
File Processing Overview
First, the web site from which the file is downloaded is evaluated against the Web Based Reputation
Service (WBRS).
Service (WBRS).
If the web reputation score of the site is in the range configured to “Scan,” the appliance simultaneously
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
If Adaptive Scanning is also enabled, file reputation evaluation and file analysis are included in
Adaptive Scanning.
Adaptive Scanning.
Communications between the appliance and the file reputation service are encrypted and protected
from tampering.
from tampering.
After a file’s reputation is evaluated:
•
If the file is known to the file reputation service and is determined to be clean, the file is released to
the end user.
the end user.
•
If the file reputation service returns a verdict of malicious, then the appliance applies the action that
you have specified for such files.
you have specified for such files.
•
If the file is known to the reputation service but there is insufficient information for a definitive
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the access policy for
malicious or high-risk files.
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation
threshold, the appliance applies the action that you have configured in the access policy for
malicious or high-risk files.
•
If the reputation service has no information about the file, and the file does not meet the criteria for
analysis (see
analysis (see
), the file is considered clean and
the file is released to the end user.
•
If you have enabled the cloud-based File Analysis service, and the reputation service has no
information about the file, and the file meets the criteria for files that can be analyzed (see
information about the file, and the file meets the criteria for files that can be analyzed (see
), then the file is considered clean and is optionally
sent for analysis.
•
For deployments with on-premises file analysis, the reputation evaluation and file analysis occur
simultaneously. If the reputation service returns a verdict, that verdict is used, as the reputation
service includes inputs from a wider range of sources. If the file is unknown to the reputation
service, the file is released to the user but the file analysis result is updated in the local cache and is
used to evaluate future instances of the file.
simultaneously. If the reputation service returns a verdict, that verdict is used, as the reputation
service includes inputs from a wider range of sources. If the file is unknown to the reputation
service, the file is released to the user but the file analysis result is updated in the local cache and is
used to evaluate future instances of the file.
•
If file reputation or file analysis verdict information is unavailable because the connection with the
service timed out, the file is considered clean and is released to the end user.
service timed out, the file is considered clean and is released to the end user.