06-10-2014 11:29 PM
I am working on Cisco IronPort Web Security and have enables "File Reputation And Analysis" Feature. I did some activities and viewed W3C logs to check if the feature was working perfectly. So i cam up with some query
1. Initially my device was not communicating with cloud but sill i can see the x-amp-verdict "3" which means file is not clean. How can device give verdict without communicating with cloud ?
1401427535.114 1662 1.27.1.11 16213 "PREF=ID=59591bf717fe0b93:U=5257ad5ee7fe644a:FF=0:TM=1400748855:LM=1400829408:S=Sh8mreEZ1tSuwKoa; NID=67=p-W0tZtJNrkjoVeOmfxK50Qoi6JVgqwKjVeFVmlHJA7ssODCWHuZ7YhEYQGudDbqN3Su691-dEs4pEaYCsqx5bWqgbnsMlUPgJ-SOhRp7zOzCv6P1pYGQnK6Wis9X0OmshOJYNarVolUYjf8HaTkt2nN" - "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0" - - 764 POST application/octet-stream ocsp http://clients1.google.com/ocsp - 1 2014-05-30 DIRECT clients1.google.com 74.125.224.238 80 898 898 200 TCP_MISS TCP_MISS 05:25:35 DEFAULT_CASE_12-My_Identity_Policy-My_Identity_Policy-MyMalware-NONE-NONE-DefaultGroup 1186 "-1" 0 - <IW_srch,5.9,0,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_srch,-,"Unknown","-","Google","Search Engine","-","-",6.06,0,Local,"Unknown","-",3,"-",-,-,"-","-"> "Search Engines and Portals" 0 0 - 3 - - - - -
2.Finally the device started to Communicate and file where getting uploaded for analysis but i see that x-amp-Upload-indicator is always "0" even though the file has been upload for Analysis. The value should be "1".
1401858233.385 3685354 1.27.1.11 19613 - "http://downloadming.nu/holiday-2014-mp3-songs" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0" - - 469 GET audio/mpeg bollywood%20mp3/Holiday%20(2014)/05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 http://128f1.downloadming1.com/bollywood%20mp3/Holiday%20(2014)/05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 - 1 2014-06-04 DIRECT 128f1.downloadming1.com 50.7.240.226 80 3684885 3684885 200 TCP_MISS TCP_MISS 05:03:53 DEFAULT_CASE_12-My_Identity_Policy-My_Identity_Policy-MyMalware-NONE-NONE-DefaultGroup 48669 "-1" 0 - <IW_aud,0.0,0,"-",0,0,0,0,"-",-1,0,-1,"-",0,0,"-","-",-,-,IW_aud,-,"Unknown","-","MPEG","Media","-","-",605.71,0,Local,"Unknown","-",0,"-",0,0,"05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3","7916efec4ae909c74b9623c872d89928d81880030cd2bc97f80f604f3adef12e"> "Streaming Audio" 0 0 - 0 - 0 0 05%20-%20Palang%20Tod%20-%20DownloadMing.SE.mp3 7916efec4ae909c74b9623c872d89928d81880030cd2bc97f80f604f3adef12e
3. I get sha_256 value of the file but not the name of the file in x-amp-filename. Why ?
03-31-2015 09:18 AM
hello - I have just moved your post to the Topic forums - you had posted your question in an obscure, non-visible, promotional community. Hopefully our community users will see your question now
03-31-2015 05:47 PM
A verdict of “3” is returned when AMP file analysis and reputation service is unreachable.
Verdict from Advanced Malware Protection file scanning:
• "0" indicates the file is clean.
• "1" indicates the file was not scanned due to its file type.
• "2" or greater indicates the file is not clean.
Below is a list of AMP verdicts :
28 UNSCANNABLE
29 GENERIC_SPYWARE
30 BROWSER_HELPER
31 ADWARE
32 SYSTEM_MONITOR
33 COMM_SYSTEM_MONITOR
34 DIALER
35 HIJACKER
36 PHISHING_URL
37 TROJAN_DOWNLOADER
38 TROJAN_HORSE
39 TROJAN_PHISHER
40 WORM
41 ENCRYPTED
42 VIRUS
43 OTHER
44 PUA
45 ABORTED
46 ADAPTIVE_SECURITY
47 NUM_VERDICTS
48 UNSET
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide