cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1413
Views
5
Helpful
5
Replies

Unnamed malware/encrypted file detection

Michael Cole
Beginner
Beginner

While perusing some Ironport reports I noticed 'unnamed malware' with the transactions monitored...  can anyone provide more detail/explanation for this?  Is it really malware?  If it is, why is it monitored, instead of blocked?  Or is this a false positive?

 

Side note - the 'Support Portal Malware Details' link at the bottom of the report references http://www.ironport.com/malwaredetails, which redirects to a Cisco Acquisitions page, which isn't exactly useful.

 

 

Thanks,

 

Mike C

1 Accepted Solution

Accepted Solutions

On the WSA look under: Web Security Manager - Access Policies - Click on "Web Reputation and Anti-Malware Filtering" policy. Her you set how to monitor or block the different malware categories and at the buttom "other categories"

On the SMA look under Web - Configuration Master - Access Policies - Click on "Web Reputation and Anti-Malware Filtering" policy. Her you set how to monitor or block the different malware categories and at the buttom "other categories"

enjoy :-)

View solution in original post

5 Replies 5

akilgore
Cisco Employee
Cisco Employee

Hi Mike,

The "Unknown" or "Unnamed" categories are typically the result of one of the following:

(1) Samples that return an 'unscannable' verdict from the engine.

(2) New malware samples that do not yet have a defined signature, but do flag on heiristic detection methods, may initially flag as unknown or unnamed.

Samples that flag under these categories will either be blocked or allowed, depending on your policy settings.

Thanks for the response - where would this setting be, on the S370 or M170 (management device)?  Asking because I don't recall seeing an option anywhere as to how to drop this particular traffic (if unknown.)

 

Thanks!

On the WSA look under: Web Security Manager - Access Policies - Click on "Web Reputation and Anti-Malware Filtering" policy. Her you set how to monitor or block the different malware categories and at the buttom "other categories"

On the SMA look under Web - Configuration Master - Access Policies - Click on "Web Reputation and Anti-Malware Filtering" policy. Her you set how to monitor or block the different malware categories and at the buttom "other categories"

enjoy :-)

Perfect, many thanks!

 

Mike C