安全 : Cisco IronPort Email 安全设备

ESA文件分析通过安培验证程序

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述如何确定通过先进的恶意软件保护的文件(安培)处理在思科电子邮件安全工具(ESA)是否为文件分析发送,并且什么相关的日志文件提供。

贡献用罗伯特Sherwin, Cisco TAC工程师。

确定文件是否为分析上传

当文件分析启用时,文件也许自动地发送在安培中到进一步分析的Cloud。这提供最高水平保护零天和被瞄准的威胁。当文件名誉过滤启用时,文件分析只是可用的。

请使用文件类型选项为了限制也许发送到Cloud文件的种类。发送的特定文件根据从文件分析服务Cloud的请求总是,瞄准那些文件另外的分析是需要的。当文件分析服务Cloud到达产能时,特定的文件类型的文件分析也许临时地禁用。

注意:参考先进的恶意软件保护业务的文件标准思科内容安全产品Cisco文档的其他信息。

这些文件类型可能为分析当前发送:

  • 支持文件分析和Windows可执行软件的所有版本,例如:.exe.dll.sys.scr文件。

  • 您为在Settings页的反恶意软件的加载选择和的名誉的文件类型(Web安全)或Settings页文件的名誉和的分析(电子邮件安全。)初始支持包含PDF和微软办公软件文件。

注意: 如果在文件分析服务的负载超出产能,也许不分析一些文件,即使文件类型为分析选择。当服务临时地无法处理特定类型的文件时,您收到警报。

这是一些重要提示:

  • 文件大小标准由根据当前威胁趋势的文件分析服务动态地设立,并且它能在任何时间更改。标准更改自动地生效;不如此您要求采取所有行动。

  • 如果文件从任何来源最近上传,文件再没有上传。为了从报告页的文件分析得到此文件的文件分析结果, SHA-256的搜索。 

  • 设备尝试一次上传文件;如果加载不是成功的(例如,由于连接问题),文件也许不上传。如果失败归结于文件分析服务器超载,加载更加尝试。

配置文件分析的安培

为了通过GUI配置文件分析的安培,请导航对安全服务>文件名誉和分析> Edit全局设置…

为了通过CLI配置文件分析的安培,请输入ampconfig > setup命令并且通过答复向导移动。当您提交与此问题时,您必须选择Y : 是否要修改文件分析的文件类型?

myesa.local> ampconfig

File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
Adobe Portable Document Format (PDF)
Microsoft Office 2007+ (Open XML)
Microsoft Office 97-2004 (OLE)
Microsoft Windows / DOS Executable


Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- CLEARCACHE - Clears the local File Reputation cache.
[]> setup

File Reputation: Enabled
Would you like to use File Reputation? [Y]>

Would you like to use File Analysis? [Y]>

File types supported for File Analysis:

1. Adobe Portable Document Format (PDF) [selected]
2. Microsoft Office 2007+ (Open XML) [selected]
3. Microsoft Office 97-2004 (OLE) [selected]
4. Microsoft Windows / DOS Executable [selected]

Do you want to modify the file types selected for File Analysis? [N]> y

Enter comma separated serial numbers from the "Supported" list. Enter "ALL" to select
all "currently" supported File Types.
[1,2,3,4]> ALL

Specify AMP processing timeout (in seconds)
[120]>

Advanced-Malware protection is now enabled on the system.
Please note: you must issue the 'policyconfig' command (CLI) or Mail
Policies (GUI) to configure advanced malware scanning behavior for
default and custom Incoming Mail Policies.
This is recommended for your DEFAULT policy.

凭此配置,启用的文件类型为分析被扫描并且发送,如可适用。  

复核文件分析的安培日志

当可适用的文件由安培时扫描,他们在安培日志被记录。为了检查所有安培操作的此日志,请输入尾标安培命令到CLI或者通过或者尾标的答复向导移动或grep命令。 grep命令是有用的,如果认识您在安培日志希望搜索的特定文件或其他详细信息。

示例如下:

myesa.local> tail amp

Press Ctrl-C to stop.
Mon Feb 2 14:45:35 2015 Info: File reputation query initiating. File Name =
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Feb 2 14:45:35 2015 Info: Response received for file reputation query from Cache.
File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown, Malware = None,
Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe2
7e95b245f82, upload_action = 1
Mon Feb 2 14:55:35 2015 Info: File reputation query initiating. File Name =
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Feb 2 14:55:35 2015 Info: Response received for file reputation query from Cache.
File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown, Malware = None,
Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe2
7e95b245f82, upload_action = 1
Mon Feb 2 15:05:35 2015 Info: File reputation query initiating. File Name =
'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Mon Feb 2 15:05:35 2015 Info: Response received for file reputation query from Cache.
File Name = 'amp_watchdog.txt', MID = 0, Disposition = file unknown, Malware = None,
Reputation Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe2
7e95b245f82, upload_action = 1

amp_watchdog.txt文件显示在日志的每十分钟。此文件是一部分的keep-alive AMP.的。

使用为名誉处理的文件,他们有upload_action被标记在文件名誉查询结束时。有加载操作的三答复:

"upload_action = 0": The file is known to the reputation service; do not send
for analysis.
"upload_action = 1": Send
"upload_action = 2": The file is known to the reputation service; do not send
for analysis

此答复指明文件是否为分析发送。再次,它必须满足已配置的文件类型的标准为了顺利地提交。

示例情景

此部分描述文件为分析适当地上传的三个可能的情况,或者不上传的归结于一个特定原因。

为分析上传的文件

此示例显示满足标准和用upload_action标记= 1.的DOCX文件在下一条,为分析安全哈希算法(SHA)上传的文件被记录对安培日志。

Thu Jan 29 08:32:18 2015 Info: File reputation query initiating. File Name =
'Lab_Guide.docx', MID = 860, File Size = 39136 bytes, File Type =
application/msword
Thu Jan 29 08:32:19 2015 Info: Response received for file reputation query from Cloud.
File Name = 'Royale_Raman_Lab_Setup_Guide_Beta.docx', MID = 860, Disposition = file
unknown, Malware = None, Reputation Score = 0, sha256 = 754e3e13b2348ffd9c701bd3d8ae9
6c5174bb8ebb76d8fb51c7f3d9567ff18ce, upload_action = 1
Thu Jan 29 08:32:21 2015 Info: File uploaded for analysis. SHA256: 754e3e13b2348ffd9c7
01bd3d8ae96c5174bb8ebb76d8fb51c7f3d9567ff18ce

为分析没上传的文件由于文件类型

此示例显示由安培扫描并且用upload_action标记= 1被添附对文件名誉日志的压缩文件,但是安培文件分析不支持压缩文件。所以,没有SHA被记录对此文件的安培日志。

Wed Jan 28 08:21:43 2015 Info: File reputation query initiating. File Name =
'Sample_Malware_Files.zip', MID = 852, File Size = 272703 bytes, File Type =
application/zip
Wed Jan 28 08:21:45 2015 Info: Response received for file reputation query from Cloud.
File Name = 'Sample_Malware_Files.zip', MID = 852, Disposition = unscannable, Malware
= None, Reputation Score = 0, sha256 = 0edf4cbf86a3345ca930f1bcc37344b1d95e9f4e9d9da7
53339cefeff03df810, upload_action = 1

为分析没上传的文件,由于文件已经知道

由与upload_action的安培扫描= 2被添附对文件名誉日志的此示例显示PDF文件。此文件已经为Cloud所知和没有要求为分析上传,因此再没有上传。

Wed Jan 28 09:09:51 2015 Info: File reputation query initiating. File Name =
'Zombies.pdf', MID = 856, File Size = 309500 bytes, File Type = application/pdf
Wed Jan 28 09:09:51 2015 Info: Response received for file reputation query from Cache.
File Name = 'Zombies.pdf', MID = 856, Disposition = malicious, Malware = W32.Zombies.
NotAVirus, Reputation Score = 7, sha256 = 00b32c3428362e39e4df2a0c3e0950947c147781fdd
3d2ffd0bf5f96989bb002, upload_action = 2

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118796