Cisco Cisco Web Security Appliance S170 사용자 가이드
322
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
I R O N PO R T DV S ™ ( D Y N A M I C VE C T O R I N G A N D S T R E A M I N G ) E N G I N E
The IronPort Dynamic Vectoring and Streaming (DVS) engine inspects web traffic to provide
protection against the widest variety of web-based malware ranging from commercially
invasive adware applications, to malicious trojans, system monitors, and phishing attacks.
protection against the widest variety of web-based malware ranging from commercially
invasive adware applications, to malicious trojans, system monitors, and phishing attacks.
To configure the DVS engine, and Webroot and McAfee global settings, see “Configuring
Anti-Malware Scanning” on page 328.
Anti-Malware Scanning” on page 328.
The IronPort DVS engine can use one or more scanning engines to determine malware risk.
Depending on the features purchased with the appliance, you can enable any of the following
scanning engines:
Depending on the features purchased with the appliance, you can enable any of the following
scanning engines:
• Webroot. Webroot’s automated spyware detection system rapidly identifies existing and
new spyware threats on the Internet by intelligently scanning millions of sites on a daily
basis. Webroot uses a signature database to help detect threats on the Internet. For more
information about the Webroot scanning engine, see “Webroot Scanning” on page 325.
basis. Webroot uses a signature database to help detect threats on the Internet. For more
information about the Webroot scanning engine, see “Webroot Scanning” on page 325.
• McAfee. The McAfee scanning engine can detect existing and new malware threats by
using a signature database of malware information and heuristic analysis. For more
information about the McAfee scanning engine, see “McAfee Scanning” on page 326.
information about the McAfee scanning engine, see “McAfee Scanning” on page 326.
The scanning engines inspect URL transactions to determine a malware scanning verdict to
pass to the DVS engine. A malware scanning verdict is a value assigned to a URL request or
server response that determines the probability that it contains malware. The DVS engine
determines whether to monitor or block the request based on the malware scanning verdicts.
For more information about malware scanning verdicts, see “Malware Scanning Verdict
Values” on page 460.
pass to the DVS engine. A malware scanning verdict is a value assigned to a URL request or
server response that determines the probability that it contains malware. The DVS engine
determines whether to monitor or block the request based on the malware scanning verdicts.
For more information about malware scanning verdicts, see “Malware Scanning Verdict
Values” on page 460.
In some cases, the DVS engine might determine multiple verdicts for a single URL. For more
information about how the DVS handles multiple verdicts, see “Working with Multiple
Malware Verdicts” on page 323.
information about how the DVS handles multiple verdicts, see “Working with Multiple
Malware Verdicts” on page 323.
Maintaining the Database Tables
The Webroot and McAfee databases periodically receive updates from the IronPort update
server (
server (
https://update-manifests.ironport.com
). Server updates are automated, and
the update interval is set by the server, not the appliance. Updates to the database tables
occur with a regular degree of frequency, and require no administrator intervention.
occur with a regular degree of frequency, and require no administrator intervention.
For information about update intervals and the IronPort update server, see “Manually
Updating Security Service Components” on page 525.
Updating Security Service Components” on page 525.
How the DVS Engine Works
The DVS engine performs anti-malware scanning on URL transactions that are forwarded from
the Web Reputation Filters. Web Reputation Filters calculate the probability that a particular
URL contains malware, and assign a URL score that is associated with an action to block,
scan, or allow the transaction.
the Web Reputation Filters. Web Reputation Filters calculate the probability that a particular
URL contains malware, and assign a URL score that is associated with an action to block,
scan, or allow the transaction.