Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1445
Views
0
Helpful
1
Replies

Cisco DVS Anti-Malware Settings - Difference between monitor and block

Go to solution
johannesgrimm1
Level 1
Level 1

‎06-02-2017 12:33 AM

Hi everybody,

in the Anti-Malware Settings I have the choice between monitor and block traffic. Can somebody tell me what happens when I set the option to monitor? Is the traffic logged only? Or will the DVS inspect the packet and drop only if it's malicious?

Are the malware categories based on URL-categories? I do not understand the concept yet.

Thanks for your help.

Best regards

Johannes

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Handy Putra
Cisco Employee
Cisco Employee

‎06-11-2017 09:57 PM

Hi,

Malware categories are different from URL-categories.

If you look at below user guide and go to page 248, it will list out all the descriptions of malware categories:

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/wsa9-1/WSA_9-1-1_UserGuide.pdf

Regarding to Monitor against Block.

If the verdict from the scanning engines contain malicious and has been set to block then the appliance will blocks it.

If the verdict from scanning engines contain malicious and the setting set to Monitor, it will still deliver the content to the client with the verdict logged in the appliance logs.

If one of the scanning engines inside DVS has been set to block while the rest is monitor and found there is malicious threat in the request, it will overwrite it and block automatically.

You can get more details from the user guide as well on page 235

Regards

Handy Putra

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Handy Putra
Cisco Employee
Cisco Employee

‎06-11-2017 09:57 PM

Hi,

Malware categories are different from URL-categories.

If you look at below user guide and go to page 248, it will list out all the descriptions of malware categories:

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa9-0/wsa9-1/WSA_9-1-1_UserGuide.pdf

Regarding to Monitor against Block.

If the verdict from the scanning engines contain malicious and has been set to block then the appliance will blocks it.

If the verdict from scanning engines contain malicious and the setting set to Monitor, it will still deliver the content to the client with the verdict logged in the appliance logs.

If one of the scanning engines inside DVS has been set to block while the rest is monitor and found there is malicious threat in the request, it will overwrite it and block automatically.

You can get more details from the user guide as well on page 235

Regards

Handy Putra

0 Helpful
Customers Also Viewed These Support Documents