Troubleshoot Secure Web Appliance and Advanced Malware Protection Logs (ampverdict)

Introduction

This document describes the ampverdict section in the INFO and DEBUG log level of the Advanced Malware Protection (AMP) engine of the Web Security Appliance (WSA).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• WSA Installed
• File Reputation and File Analysis enabled
• Advanced Malware Protection
• Cisco Secure Web Appliance
• SSH client

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

WSA offers integration with AMP for Endpoints and a local AMP engine. AMP provides Malware protection against zero-day malware through File reputation and File analysis features. The WSA includes a pre-classification engine that is responsible for file scans internally before public cloud checks. The logs described in the next section are related to the AMP engine on WSA not to the AMP cloud or Threat Grid.

Troubleshoot WSA AMP Logs

Access the AMP logs. Log in via CLI and tail or grep the amp logs:

1. Log in to the CLI through SSH Client.

2. Type the command grep and press Enter key.

3. Enter the number of the amp_logs as it is ordered.

4. Answer the followed options (If you run live traffic chose the option to tail the logs).
5. Press Enter key.

6. Logs are displayed.

WSA AMP logs exist in different levels of information, you can select the INFO level or DEBUG the results that have slight differences explained in the next section.

Note: AMP license needs to be installed on WSA to select the AMP logs.

AMP INFO level logs:

Wed Apr 27 12:21:26 2022 Info: Txn 18210 Binary scan on instance[0] Id[1345]: AMP allocated memory = 0, AMP used memory = 0, Scans in flight = 1, Active faster connections = 1, Active slower connections = 0
Wed Apr 27 12:21:35 2022 Info: Binary scan on instance[0] id[1345]: filename[npp.8.4.Installer.x64.exe] filemime[application/x-dosexec] file_extension[exe] length[4493047b] ampverdict[(1, 1, 'amp', '', 0, 0, True)] scanverdict[0] malwareverdict[0] spyname[] SHA256[ecdcf497418a1988ebf20c647acadc9eca7bc8569fd980713582acd0de011ba1] From[Cloud] uploadreason[Enqueued in the local queue for submission to upload] verdict_str[FILE UNKNOWN] is_slow[0] scans_in_flight[0] Active faster connections[0] Active slower connections[0]
Wed Apr 27 12:22:28 2022 Info: File uploaded for analysis. Server: https://panacea.threatgrid.com, SHA256: ecdcf497418a1988ebf20c647acadc9eca7bc8569fd980713582acd0de011ba1, Filename: npp.8.4.Installer.x64.exeTimestamp: 1651044116 sampleid[]

AMP INFO level logs (ampverdict):

ampverdict[(1, 1, 'amp', '', 0, 0, True)]
(analysis_Action, scan_verdict, ‘verdict_source', ‘spyname’, malware_verdict, file_reputation, upload_action)]

AMP DEBUG level logs:

Fri Apr 29 01:38:40 2022 Debug: Binary scan: proxid[3951] filename[favicon.ico] len[41566b] readtime[109.721680ms] scantime[2.205322ms] ampverdict[(1, 1, 'amp', '', 0, 0, False)] scanverdict[0] malwareverdict[0] SHA256[e7a2345c75a03e63202b12301c29bb8b6bae7cef9e191ed58797ec028def7c4f] From[Cloud] FileName[favicon.ico] FileMime[application/octet-stream]

AMP DEBUG level logs (ampverdict):

ampverdict[(1, 1, 'amp', '', 0, 0, False)]
ampverdict[(analysis_action, scan_verdict,disposition, ‘spyname: policy name if amp registered with console’, file_reputation, upload_action, ‘sha256', ‘threat_name’)]

Detailed Field vs Value options:

Related Information

• Integrate AMP for Endpoints and Threat Grid with WSA
• File Reputation Filtering and File Analysis
• Technical Support & Documentation - Cisco Systems