Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
17-4
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 17 File Reputation Filtering and File Analysis
Overview of File Reputation Filtering and File Analysis
Some files with unknown reputation can be analyzed for threat characteristics. When you configure the
file analysis feature, you choose which file types are analyzed. New types can be added dynamically;
you will receive an alert when the list of uploadable file types changes, and can select added file types
to upload.
file analysis feature, you choose which file types are analyzed. New types can be added dynamically;
you will receive an alert when the list of uploadable file types changes, and can select added file types
to upload.
Details about what files are supported by the reputation and analysis services are available only to
registered Cisco customers. For information about which files are evaluated and analyzed, see File
Criteria for Advanced Malware Protection Services for Cisco Content Security Products, available from
registered Cisco customers. For information about which files are evaluated and analyzed, see File
Criteria for Advanced Malware Protection Services for Cisco Content Security Products, available from
.
The criteria for evaluating a file’s reputation and for sending files for analysis may change at any time.
In order to access this document, you must have a Cisco customer account with a support contract. To
register, visit
register, visit
.
You should configure policies to block delivery of files that are not addressed by Advanced Malware
Protection.
Protection.
Note
A file that has already been uploaded for analysis from any source will not be uploaded again. To view
analysis results for such a file, search for the SHA-256 from the File Analysis reporting page.
analysis results for such a file, search for the SHA-256 from the File Analysis reporting page.
Related Topics
•
•
•
Archive or Compressed File Processing
If the file is compressed or archived:
•
Reputation of the compressed or archive file is evaluated.
•
The compressed or archive file is decompressed and reputations of all the extracted files are evaluated.
For information about which archived and compressed files are examined, including file formats, see the
information linked from
information linked from
.
In this scenario:
•
If one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for
the compressed or the archive file.
the compressed or the archive file.
•
If the compressed or archive file is malicious and all the extracted files are clean, the file reputation
service returns a verdict of Malicious for the compressed or the archive file.
service returns a verdict of Malicious for the compressed or the archive file.
•
If the verdict of any of the extracted files is unknown, the extracted files are optionally (if configured
and the file type is supported for file analysis) sent for file analysis.
and the file type is supported for file analysis) sent for file analysis.
•
If the extraction of a file fails while decompressing a compressed or an archive file, the file
reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in
mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns
a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence
over Unscannable verdict).
reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in
mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns
a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence
over Unscannable verdict).
Note
Reputation of the extracted files with safe MIME types, for example,
text/plain
, are not evaluated.