Ironport WebSecurity 8.0.5

kushal_kumar1 · ‎06-10-2014

I am working on Cisco IronPort Web Security and have enables "File Reputation And Analysis" Feature. I did some activities and viewed W3C logs to check if the feature was working perfectly. So i cam up with some query

1. Initially my device was not communicating with cloud but sill i can see the x-amp-verdict "3" which means file is not clean. How can device give verdict without communicating with cloud ?

1401427535.114 1662 1.27.1.11 16213 "PREF=ID=59591bf717fe0b93:U=5257ad5ee7fe644a:FF=0:TM=1400748855:LM=1400829408:S=Sh8mreEZ1tSuwKoa; NID=67=p-W0tZtJNrkjoVeOmfxK50Qoi6JVgqwKjVeFVmlHJA7ssODCWHuZ7YhEYQGudDbqN3Su691-dEs4pEaYCsqx5bWqgbnsMlUPgJ-SOhRp7zOzCv6P1pYGQnK6Wis9X0OmshOJYNarVolUYjf8HaTkt2nN" - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0" - - 764 POST application/octet-stream ocsp http://clients1.google.com/ocsp - 1 2014-05-30 DIRECT clients1.google.com 74.125.224.238 80 898 898 200 TCP_MISS TCP_MISS 05:25:35 DEFAULT_CASE_12-My_Identity_Policy-My_Identity_Policy-MyMalware-NONE-NONE-DefaultGroup 1186 "-1" 0 - <IW_srch,5.9,0,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_srch,-,"Unknown","-","Google","Search Engine","-","-",6.06,0,Local,"Unknown","-",3,"-",-,-,"-","-"> "Search Engines and Portals" 0 0 - 3 - - - - -

2.Finally the device started to Communicate and file where getting uploaded for analysis but i see that x-amp-Upload-indicator is always "0" even though the file has been upload for Analysis. The value should be "1".

1401858233.385 3685354 1.27.1.11 19613 - "http://downloadming.nu/holiday-2014-mp3-songs" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0" - - 469 GET audio/mpeg bollywood%20mp3/Holiday%20(2014)/05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 http://128f1.downloadming1.com/bollywood%20mp3/Holiday%20(2014)/05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 - 1 2014-06-04 DIRECT 128f1.downloadming1.com 50.7.240.226 80 3684885 3684885 200 TCP_MISS TCP_MISS 05:03:53 DEFAULT_CASE_12-My_Identity_Policy-My_Identity_Policy-MyMalware-NONE-NONE-DefaultGroup 48669 "-1" 0 - <IW_aud,0.0,0,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_aud,-,"Unknown","-","MPEG","Media","-","-",605.71,0,Local,"Unknown","-",0,"-",0,0,"05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3","7916efec4ae909c74b9623c872d89928d81880030cd2bc97f80f604f3adef12e"> "Streaming Audio" 0 0 - 0 - 0 0 05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 7916efec4ae909c74b9623c872d89928d81880030cd2bc97f80f604f3adef12e

3. I get sha_256 value of the file but not the name of the file in x-amp-filename. Why ?

Lisa Latour · ‎03-31-2015

hello - I have just moved your post to the Topic forums - you had posted your question in an obscure, non-visible, promotional community. Hopefully our community users will see your question now

Tao Yang · ‎03-31-2015

A verdict of “3” is returned when AMP file analysis and reputation service is unreachable.

Verdict from Advanced Malware Protection file scanning:
• "0" indicates the file is clean.
• "1" indicates the file was not scanned due to its file type.
• "2" or greater indicates the file is not clean.

Below is a list of AMP verdicts :

28 UNSCANNABLE

29 GENERIC_SPYWARE

30 BROWSER_HELPER

31 ADWARE

32 SYSTEM_MONITOR

33 COMM_SYSTEM_MONITOR

34 DIALER

35 HIJACKER

36 PHISHING_URL

37 TROJAN_DOWNLOADER

38 TROJAN_HORSE

39 TROJAN_PHISHER

40 WORM

41 ENCRYPTED

42 VIRUS

43 OTHER

44 PUA

45 ABORTED

46 ADAPTIVE_SECURITY

47 NUM_VERDICTS

48 UNSET