Cisco Cisco Web Security Appliance S170 사용자 가이드
20-7
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 20 Configuring Security Services
Anti-Malware Scanning Overview
•
URL request. Webroot evaluates a URL request to determine if the URL is a malware suspect. If
Webroot suspects the response from this URL might contain malware, the appliance monitors or
blocks the request, depending on how the appliance is configured. If Webroot evaluation clears the
request, the appliance retrieves the URL and scans the server response.
Webroot suspects the response from this URL might contain malware, the appliance monitors or
blocks the request, depending on how the appliance is configured. If Webroot evaluation clears the
request, the appliance retrieves the URL and scans the server response.
•
Server response. When the appliance retrieves a URL, Webroot scans the server response content
and compares it to the Webroot signature database.
and compares it to the Webroot signature database.
For more information about how the DVS engine uses malware scanning verdicts to handle web traffic,
see
see
.
McAfee Scanning
The McAfee scanning engine inspects objects downloaded from a web server in HTTP responses. After
inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can
determine whether to monitor or block the request.
inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can
determine whether to monitor or block the request.
The McAfee scanning engine uses the following methods to determine the malware scanning verdict:
•
Matching virus signature patterns
•
Heuristic analysis
For more information about how the DVS engine uses malware scanning verdicts to handle web traffic,
see
see
.
Matching Virus Signature Patterns
McAfee uses virus definitions in its database with the scanning engine to detect particular viruses, types
of viruses, or other potentially unwanted software. It searches for virus signatures in files.
of viruses, or other potentially unwanted software. It searches for virus signatures in files.
When you enable McAfee, the McAfee scanning engine always uses this method to scan server response
content.
content.
Heuristic Analysis
New threats on the web appear almost daily. Using only virus signatures, the engine cannot detect a new
virus or other malware because its signature is not yet known. However, by using heuristic analysis, the
McAfee scanning engine can detect new classes of currently unknown viruses and malware in advance.
virus or other malware because its signature is not yet known. However, by using heuristic analysis, the
McAfee scanning engine can detect new classes of currently unknown viruses and malware in advance.
Heuristic analysis is a technique that uses general rules, rather than specific rules, to detect new viruses
and malware. When the McAfee scanning engine uses heuristic analysis, it looks at the code of an object,
applies generic rules, and determines how likely the object is to be virus-like.
and malware. When the McAfee scanning engine uses heuristic analysis, it looks at the code of an object,
applies generic rules, and determines how likely the object is to be virus-like.
Using heuristic analysis increases the likelihood of catching viruses and malware before McAfee
updates its virus signature database. However, it also increases the possibility of reporting false positives
(clean content designated as a virus). It also might impact appliance performance.
updates its virus signature database. However, it also increases the possibility of reporting false positives
(clean content designated as a virus). It also might impact appliance performance.
When you enable McAfee, you can choose whether or not to also enable heuristic analysis when
scanning objects.
scanning objects.