Cisco Cisco Web Security Appliance S170 Guia Do Utilizador

The web reputation, Webroot, Sophos, and McAfee databases periodically receive updates from the 
Cisco IronPort update server (

https://update-manifests.ironport.com

). Server updates are 

automated and the update interval is set by the server. 

The Web Security appliance maintains a filtering database that contains statistics and information about 
how different types of requests are handled. The appliance can also be configured to send web reputation 
statistics to a Cisco SensorBase Network server. SensorBase server information is leveraged with data 
feeds from the SensorBase Network and the information is used to produce a Web Reputation Score.

The access log file records the information returned by the Web Reputation Filters and the DVS engine 
for each transaction. The scanning verdict information section in the access logs includes many fields to 
help understand the cause for the action applied to a transaction. For example, some fields display the 
web reputation score or the malware scanning verdict Sophos passed to the DVS engine. 

Transactions blocked and monitored by the adaptive scanning engine use the ACL decision tags: 

BLOCK_AMW_RESP

MONITOR_AMW_RESP

The following guidelines explains how AsyncOS uses the cache while scanning for malware: 

AsyncOS only caches objects if the entire object downloads. If malware is blocked during scanning, 
the whole object is not downloaded and therefore is not cached.

AsyncOS scans content whether it is retrieved from the server or from the web cache.

The length of time that content is cached varies with many factors - there is no default. 

AsyncOS rescans content when signatures are updated.

%X6

x-as-malware-thr
eat-name

The anti-malware name returned by Adaptive Scanning. If the 
transaction is not blocked, this field returns a hyphen (“-”). This 
variable is included in the scanning verdict information (in the 
angled brackets at the end of each access log entry).