Руководство Пользователя для Cisco Cisco Web Security Appliance S170
8-3
AsyncOS 9.2 for Cisco Web Security Appliances User Guide
Chapter 8 Configuring Security Services
Overview of Anti-Malware Scanning
By default, URLs in an HTTP request that are assigned a Web Reputation Score of +7 are allowed and
require no further scanning. However, a weaker score for an HTTP request, such as +3, is automatically
forwarded to the Cisco IronPort DVS engine where it is scanned for malware. Any URL in an HTTP
request that has a poor reputation is blocked.
require no further scanning. However, a weaker score for an HTTP request, such as +3, is automatically
forwarded to the Cisco IronPort DVS engine where it is scanned for malware. Any URL in an HTTP
request that has a poor reputation is blocked.
Related Topics
•
Web Reputation in Cisco IronPort Data Security Policies
Overview of Anti-Malware Scanning
The Web Security appliance anti-malware feature uses the Cisco IronPort DVS™ engine in combination
with anti-malware scanning engines to stop web-based malware threats. The DVS engine works with the
Webroot™, McAfee, and Sophos anti-malware scanning engines.
with anti-malware scanning engines to stop web-based malware threats. The DVS engine works with the
Webroot™, McAfee, and Sophos anti-malware scanning engines.
The scanning engines inspect transactions to determine a malware scanning verdict to pass to the DVS
engine. The DVS engine determines whether to monitor or block the request based on the malware
scanning verdicts. To use the anti-malware component of the appliance, you must enable anti-malware
scanning and configure global settings, and then apply specific settings to different policies.
engine. The DVS engine determines whether to monitor or block the request based on the malware
scanning verdicts. To use the anti-malware component of the appliance, you must enable anti-malware
scanning and configure global settings, and then apply specific settings to different policies.
Understanding How the DVS Engine Works
The DVS engine performs anti-malware scanning on URL transactions that are forwarded from the Web
Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains
malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.
Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains
malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.
When the assigned web reputation score indicates to scan the transaction, the DVS engine receives the
URL request and server response content. The DVS engine, in combination with the Webroot and/or
Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses
information from the malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
URL request and server response content. The DVS engine, in combination with the Webroot and/or
Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses
information from the malware scanning verdicts and Access Policy settings to determine whether to
block or deliver the content to the client.
Working with Multiple Malware Verdicts
The DVS engine might determine multiple malware verdicts for a single URL. Multiple verdicts can
come from one or both enabled scanning engines:
come from one or both enabled scanning engines:
Score
Action
Description
-10 to -6.0
Block
Bad site. The transaction is blocked, and no further scanning occurs.
-5.9 to 0.0
Monitor
The transaction will not be blocked based on Web Reputation, and will
proceed to content checks (file type and size).
proceed to content checks (file type and size).
Note
Sites with no score are monitored.