Cisco Cisco Web Security Appliance S170 사용자 가이드
14-2
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Chapter 14 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
File Processing Overview
First, the web site from which the file is downloaded is evaluated against the Web Based Reputation
Service (WBRS).
Service (WBRS).
If the web reputation score of the site is in the range configured to “Scan,” the appliance simultaneously
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
scans the transaction for malware and queries the cloud-based service for the reputation of the file. (If
the site’s reputation score is in the “Block” range, the transaction is handled accordingly and there is no
need to process the file further.) If malware is found during scanning, the transaction is blocked
regardless of the reputation of the file.
If Adaptive Scanning is also enabled, file reputation evaluation and file analysis are included in
Adaptive Scanning.
Adaptive Scanning.
Communications between the appliance and the file reputation service are encrypted and protected
from tampering.
from tampering.
After a file’s reputation is evaluated:
•
If the file is known to the file reputation service and is determined to be clean, the file is released to
the end user.
the end user.
•
If the file reputation service returns a verdict of malicious, then the appliance applies the action that
you have specified for such files.
you have specified for such files.
•
If the file is known to the reputation service but there is insufficient information for a definitive
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the reputation threshold, the
appliance applies the action that you have configured in the access policy for malicious or high-risk
files.
verdict, the reputation service returns a threat score based on characteristics of the file such as threat
fingerprint and behavioral analysis. If this score meets or exceeds the reputation threshold, the
appliance applies the action that you have configured in the access policy for malicious or high-risk
files.
•
If the reputation service has no information about the file, and the file does not meet the criteria for
analysis (see
analysis (see
), the file is considered clean and
the file is released to the end user.
•
If you have enabled File Analysis, and the reputation service has no information about the file, and
the file meets the criteria for files that can be analyzed (see
the file meets the criteria for files that can be analyzed (see
), then the file is considered clean and is optionally sent for analysis.
•
If file reputation information is unavailable because the connection with the service timed out, the
file is considered clean and is released to the end user.
file is considered clean and is released to the end user.