Cisco Cisco Web Security Appliance S170 사용자 가이드
16-7
Cisco AsyncOS 8.5 for Email User Guide
Chapter 16 File Reputation Filtering and File Analysis
File Reputation and File Analysis Reporting and Tracking
Identifying Files by SHA-256 Hash
Because filenames can easily be changed, the appliance generates an identifier for each file using a
Secure Hash Algorithm (SHA-256). If an appliance processes the same file with different names, all
instances are recognized as the same SHA-256. If multiple appliances process the same file, all instances
of the file have the same SHA-256 identifier.
Secure Hash Algorithm (SHA-256). If an appliance processes the same file with different names, all
instances are recognized as the same SHA-256. If multiple appliances process the same file, all instances
of the file have the same SHA-256 identifier.
In most reports, files are listed by their SHA-256 value (in an abbreviated format). To identify the
filenames associated with a malware instance in your organization, select Reporting > Advanced
Malware Protection and click an SHA-256 link in the table. The details page shows associated filenames.
filenames associated with a malware instance in your organization, select Reporting > Advanced
Malware Protection and click an SHA-256 link in the table. The details page shows associated filenames.
File Reputation and File Analysis Report Pages
Report Description
Advanced Malware
Protection
Protection
Shows file-based threats that were identified by the file reputation service.
To see the users who tried to access each SHA, and the filenames associated
with that SHA-256, click a SHA-256 in the table.
with that SHA-256, click a SHA-256 in the table.
Clicking the link at the bottom of Malware Threat File Details report page
displays all instances of the file in Web Tracking that were encountered
within the maximum available time range, regardless of the time range
selected for the report.
displays all instances of the file in Web Tracking that were encountered
within the maximum available time range, regardless of the time range
selected for the report.
For files with changed verdicts, see the AMP Verdict updates report. Those
verdicts are not reflected in the Advanced Malware Protection report.
verdicts are not reflected in the Advanced Malware Protection report.
File Analysis
Displays the time and verdict (or interim verdict) for each file sent for
analysis.
analysis.
To view more than 1000 File Analysis results, export the data as a .csv file.
Drill down to view detailed analysis results, including the threat
characteristics and score for each file.
characteristics and score for each file.
You can also search the cloud service for additional information about an
SHA. The link is on the result details page.
SHA. The link is on the result details page.
AMP Verdict Updates
Lists the files processed by this appliance for which the verdict has changed
since the transaction was processed. For information about this situation, see
since the transaction was processed. For information about this situation, see
To view more than 1000 verdict updates, export the data as a .csv file.
In the case of multiple verdict changes for a single SHA-256, this report
shows only the latest verdict, not the verdict history.
shows only the latest verdict, not the verdict history.
Clicking an SHA-256 link displays the Malware Threat Files page, which
displays data only if the file was initially determined to contain malware.
displays data only if the file was initially determined to contain malware.
To view all affected transactions for a particular SHA-256 within the
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.
maximum available time range (regardless of the time range selected for the
report) click the link at the bottom of the Malware Threat Files page.