Configuring Security Services
This topic contains the following sections:
Overview of Configuring Security Services
The Secure Web Appliance uses security components to protect end users from a range of malware threats. You can configure anti-malware and web reputation settings for each policy group. When you configure Access Policies, you can also have AsyncOS for Web choose a combination of anti-malware scanning and web reputation scoring to use when determining what content to block.
To protect end users from malware, you enable these features on the appliance, and then configure anti-malware and web reputation settings per policy.
Option |
Description |
Link |
---|---|---|
Anti-malware scanning |
Works with multiple anti-malware scanning engines integrated on the appliance to block malware threats |
|
Web Reputation Filters |
Analyzes web server behavior and determines whether the URL contains URL-based malware |
|
Secure Endpoint |
Protects from threats in downloaded files by evaluating file reputation and by analyzing file characteristics. |
Related Topics
Overview of Web Reputation Filters
Web Reputation Filters assigns a web-based reputation score (WBRS) to a URL to determine the likelihood that it contains URL-based malware. The Secure Web Appliance uses web reputation scores to identify and stop malware attacks before they occur. You can use Web Reputation Filters with Access, Decryption, and Cisco Data Security Policies.
Web Reputation Scores
Web Reputation Filters use data to assess the reliability of Internet domains and score the reputation of URLs. The web reputation calculation associates a URL with network parameters to determine the probability that malware exists. The aggregate probability that malware exists is then mapped to a Web Reputation Score between -10 and +10, with +10 being the least likely to contain malware.
Example parameters include the following:
- URL categorization data
- Presence of downloadable code
- Presence of long, obfuscated End-User License Agreements (EULAs)
- Global volume and changes in volume
- Network owner information
- History of a URL
- Age of a URL
- Presence on any block lists
- Presence on any allow lists
- URL typos of popular domains
- Domain registrar information
- IP address information
Note |
Cisco does not collect identifiable information such as user names, passphrases, or client IP addresses. |
Understanding How Web Reputation Filtering Works
Web Reputation Scores are associated with an action to take on a URL request. You can configure each policy group to correlate an action to a particular Web Reputation Score. The available actions depend on the policy group type that is assigned to the URL request:
Policy Type |
Action |
---|---|
Access Policies |
You can choose to block, scan, or allow |
Decryption Policies |
You can choose to drop, decrypt, or pass through |
Cisco Data Security Policies |
You can choose to block or monitor |
Web Reputation in Access Policies
When you configure web reputation settings in Access Policies, you can choose to configure the settings manually, or let AsyncOS for Web choose the best options using Adaptive Scanning. When Adaptive Scanning is enabled, you can enable or disable web reputation filtering in each Access Policy, but you cannot edit the Web Reputation Scores.
Score |
Action |
Description |
Example |
---|---|---|---|
-10 to -6.0 |
Block |
Bad site. The request is blocked, and no further malware scanning occurs. |
|
-5.9 to 5.9 |
Scan |
Undetermined site. Request is passed to the DVS engine for further malware scanning. The DVS engine scans the request and server response content. |
|
6.0 to 10.0 |
Allow |
Good site. Request is allowed. No malware scanning required. |
|
By default, URLs in an HTTP request that are assigned a Web Reputation Score of +7 are allowed and require no further scanning. However, a weaker score for an HTTP request, such as +3, is automatically forwarded to the Cisco DVS engine where it is scanned for malware. Any URL in an HTTP request that has a poor reputation is blocked.
Related Topics
Web Reputation in Decryption Policies
Score |
Action |
Description |
---|---|---|
-10 to -9.0 |
Drop |
Bad site. The request is dropped with no notice sent to the end user. Use this setting with caution. |
-8.9 to 5.9 |
Decrypt |
Undetermined site. Request is allowed, but the connection is decrypted and Access Policies are applied to the decrypted traffic. |
6.0 to 10.0 |
Pass through |
Good site. Request is passed through with no inspection or decryption. |
Web Reputation in Cisco Data Security Policies
Score |
Action |
Description |
||
---|---|---|---|---|
-10 to -6.0 |
Block |
Bad site. The transaction is blocked, and no further scanning occurs. |
||
-5.9 to 0.0 |
Monitor |
The transaction will not be blocked based on Web Reputation, and will proceed to content checks (file type and size).
|
Overview of Anti-Malware Scanning
The Secure Web Appliance anti-malware feature uses the Cisco DVS™ engine in combination with anti-malware scanning engines to stop web-based malware threats. The DVS engine works with the Webroot™, McAfee, and Sophos anti-malware scanning engines.
The scanning engines inspect transactions to determine a malware scanning verdict to pass to the DVS engine. The DVS engine determines whether to monitor or block the request based on the malware scanning verdicts. To use the anti-malware component of the appliance, you must enable anti-malware scanning and configure global settings, and then apply specific settings to different policies.
Related Topics
Understanding How the DVS Engine Works
The DVS engine performs anti-malware scanning on URL transactions that are forwarded from the Web Reputation Filters. Web Reputation Filters calculate the probability that a particular URL contains malware, and assign a URL score that is associated with an action to block, scan, or allow the transaction.
When the assigned web reputation score indicates to scan the transaction, the DVS engine receives the URL request and server response content. The DVS engine, in combination with the Webroot and/or Sophos or McAfee scanning engines, returns a malware scanning verdict. The DVS engine uses information from the malware scanning verdicts and Access Policy settings to determine whether to block or deliver the content to the client.
Working with Multiple Malware Verdicts
The DVS engine might determine multiple malware verdicts for a single URL. Multiple verdicts can come from one or both enabled scanning engines:
- Different verdicts from different scanning engines. When you enable both Webroot and either Sophos or McAfee, each scanning engine might return different malware verdicts for the same object. When a URL causes multiple verdicts from both enabled scanning engines, the appliance performs the most restrictive action. For example, if one scanning engine returns a block verdict and the other a monitor verdict, the DVS engine always blocks the request.
- Different verdicts from the same scanning engine. A scanning engine might return multiple verdicts for a single object when the object contains multiple infections. When a URL causes multiple verdicts from the same scanning engine, the appliance takes action according to the verdict with the highest priority. The following text lists the possible malware scanning verdicts from the highest to the lowest priority.
- Virus
- Trojan Downloader
- Trojan Horse
- Trojan Phisher
- Hijacker
- System monitor
- Commercial System Monitor
- Dialer
- Worm
- Browser Helper Object
- Phishing URL
- Adware
- Encrypted file
- Unscannable
- Other Malware
Webroot Scanning
The Webroot scanning engine inspects objects to determine the malware scanning verdict to send to the DVS engine. The Webroot scanning engine inspects the following objects:
- URL request. Webroot evaluates a URL request to determine if the URL is a malware suspect. If Webroot suspects the response from this URL might contain malware, the appliance monitors or blocks the request, depending on how the appliance is configured. If Webroot evaluation clears the request, the appliance retrieves the URL and scans the server response.
- Server response. When the appliance retrieves a URL, Webroot scans the server response content and compares it to the Webroot signature database.
McAfee Scanning
The McAfee scanning engine inspects objects downloaded from a web server in HTTP responses. After inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the request.
The McAfee scanning engine uses the following methods to determine the malware scanning verdict:
- Matching virus signature patterns
- Heuristic analysis
Matching Virus Signature Patterns
McAfee uses virus definitions in its database with the scanning engine to detect particular viruses, types of viruses, or other potentially unwanted software. It searches for virus signatures in files. When you enable McAfee, the McAfee scanning engine uses this method to scan server response content.
Heuristic Analysis
Heuristic analysis is a technique that uses general rules, rather than specific rules, to detect new viruses and malware. When the McAfee scanning engine uses heuristic analysis, it looks at the code of an object, applies generic rules, and determines how likely the object is to be virus-like.
Using heuristic analysis increases the possibility of reporting false positives (clean content designated as a virus) and might impact appliance performance.When you enable McAfee, you can choose whether or not to also enable heuristic analysis when scanning objects.
McAfee Categories
McAfee Verdict |
Malware Scanning Verdict Category |
---|---|
Known Virus |
Virus |
Trojan |
Trojan Horse |
Joke File |
Adware |
Test File |
Virus |
Wannabe |
Virus |
Killed |
Virus |
Commercial Application |
Commercial System Monitor |
Potentially Unwanted Object |
Adware |
Potentially Unwanted Software Package |
Adware |
Encrypted File |
Encrypted File |
Sophos Scanning
The Sophos scanning engine inspects objects downloaded from a web server in HTTP responses. After inspecting the object, it passes a malware scanning verdict to the DVS engine so the DVS engine can determine whether to monitor or block the request. You might want to enable the Sophos scanning engine instead of the McAfee scanning engine if McAfee anti-malware software is installed.
Understanding Adaptive Scanning
Adaptive Scanning decides which anti-malware scanning engine (including Secure Endpoint scanning for downloaded files) will process the web request.
Adaptive Scanning applies the ‘Outbreak Heuristics’ anti-malware category to transactions it identifies as malware prior to running any scanning engines. You can choose whether or not to block these transactions when you configure anti-malware settings on the appliance.
Adaptive Scanning and Access Policies
When Adaptive Scanning is enabled, some anti-malware and reputation settings that you can configure in Access Policies are slightly different:
-
You can enable or disable web reputation filtering in each Access Policy, but you cannot edit the Web Reputation Scores.
-
You can enable anti-malware scanning in each Access Policy, but you cannot choose which anti-malware scanning engine to enable. Adaptive Scanning chooses the most appropriate engine for each web request.
Note |
If Adaptive Scanning is not enabled and an Access Policy has particular web reputation and anti-malware settings configured, and then Adaptive Scanning is enabled, any existing web reputation and anti-malware settings are overridden. |
Per-policy Secure Endpoint settings are the same whether or not Adaptive Scanning is enabled.
Enabling Anti-Malware and Reputation Filters
Before you begin
Check the Web Reputation Filters, DVS engine, and the Webroot, McAfee, and Sophos scanning engines are enabled. By default these should be enabled during system setup.
Procedure
Step 1 |
Choose Security Services > Anti-Malware and Reputation. |
||||||||||||||||||||||
Step 2 |
Click Edit Global Settings. |
||||||||||||||||||||||
Step 3 |
Configure settings as necessary.
|
||||||||||||||||||||||
Step 4 |
Submit and Commit Changes. |
What to do next
Clearing the Secure Endpoint Services Cache
Secure Endpoint clear cache functionality clears file reputation dispositions for clean, malicious, and unknown files.
Note |
Secure Endpoint cache is used to increase performance. By using Clear Cache command, you might observe a temporary performance degradation while the cache is repopulated. |
Procedure
Step 1 |
Choose Security Services > Anti-Malware and Reputation. |
Step 2 |
In the Secure Endpoint Services section, click Clear Cache and confirm your action. |
Configuring Anti-Malware and Reputation in Policies
When Anti-Malware and Reputation Filters are enabled on the appliance, you can configure different settings in policy groups. You can enable monitoring or blocking for malware categories based on malware scanning verdicts.
You can configure anti-malware settings in the following policy groups:
Policy Type |
Link to Task |
---|---|
Access Policies |
|
Outbound Malware Scanning Policies |
Controlling Upload Requests Using Outbound Malware Scanning Policies |
You can configure web reputation settings in the following policy groups:
Policy Type |
Link to Task |
---|---|
Access Policies |
|
Decryption Policies |
Configuring Web Reputation Filter Settings for Decryption Policy Groups |
Cisco Data Security Policies |
Configuring Web Reputation Filter Settings for Decryption Policy Groups |
You can configure Secure Endpoint settings only in Access Policies. See Configuring File Reputation and Analysis Features
Anti-Malware and Reputation Settings in Access Policies
When Adaptive Scanning is enabled, the web reputation and anti-malware settings you can configure for Access Policies are slightly different than when Adaptive Scanning is turned off.
Note |
If your deployment includes a Security Management appliance, and you are configuring this feature in a Primary Configuration, options on this page depend on whether Adaptive Security is enabled for the relevant primary configuration. Check the setting on the Security Management appliance, on the Web > Utilities > Security Services Display page. |
Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Enabled
Procedure
Step 1 |
Choose Web Security Manager > Access Policies. |
||||||||||||||
Step 2 |
Click the Anti-Malware and Reputation link for the Access Policy you want to configure. |
||||||||||||||
Step 3 |
Under the Web Reputation and Anti-Malware Settings section, choose Define Web Reputation and Anti-Malware Custom Settings. This allows you to configure web reputation and anti-malware settings for this Access Policy that differ from the global policy. |
||||||||||||||
Step 4 |
In the Web Reputation Settings section, choose whether or not to enable Web Reputation Filtering. Adaptive Scanning chooses the most appropriate web reputation score thresholds for each web request. |
||||||||||||||
Step 5 |
Configure the settings in the Secure Endpoint Settings section. |
||||||||||||||
Step 6 |
Scroll down to the Cisco DVS Anti-Malware Settings section. |
||||||||||||||
Step 7 |
Configure the anti-malware settings for the policy as necessary.
|
||||||||||||||
Step 8 |
Submit and Commit Changes. |
What to do next
Configuring Anti-Malware and Reputation Settings with Adaptive Scanning Disabled
Procedure
Step 1 |
Choose Web Security Manager > Access Policies. |
||||||||||||||||||
Step 2 |
Click the Anti-Malware and Reputation link for the Access Policy you want to configure. |
||||||||||||||||||
Step 3 |
Under the Web Reputation and Anti-Malware Settings section, choose Define Web Reputation and Anti-Malware Custom Settings. This allows you to configure web reputation and anti-malware settings for this Access Policy that differ from the global policy. |
||||||||||||||||||
Step 4 |
Configure the settings in the Web Reputation Settings section. |
||||||||||||||||||
Step 5 |
Configure the settings in the Secure Endpoint Settings section. |
||||||||||||||||||
Step 6 |
Scroll down to the Cisco DVS Anti-Malware Settings section. |
||||||||||||||||||
Step 7 |
Configure the anti-malware settings for the policy as necessary.
|
||||||||||||||||||
Step 8 |
Submit and Commit Changes. |
What to do next
Configuring Web Reputation Scores
When you install and set up the Secure Web Appliance, it has default settings for Web Reputation Scores. However, you can modify threshold settings for web reputation scoring to fit your organization’s needs.You configure the web reputation filter settings for each policy group.
Configuring Web Reputation Score Thresholds for Access Policies
Procedure
Step 1 |
Choose Web Security Manager > Access Policies. |
||
Step 2 |
Click the link under the Anti-Malware and Reputation column for the Access Policy group you want to edit. |
||
Step 3 |
Under the Web Reputation and Anti-Malware Settings section, choose Define Web Reputation and Anti-Malware Custom Settings. This allows you to configure web reputation and anti-malware settings for this Access Policy that differ from the global policy. |
||
Step 4 |
Verify the Enable Web Reputation Filtering field is enabled. |
||
Step 5 |
Move the markers to change the range for URL block, scan, and allow actions. |
||
Step 6 |
Submit and Commit Changes.
|
Configuring Web Reputation Filter Settings for Decryption Policy Groups
Procedure
Step 1 |
Choose Web Security Manager > Decryption Policies. |
Step 2 |
Click the link under the Web Reputation column for the Decryption Policy group you want to edit. |
Step 3 |
Under the Web Reputation Settings section, choose Define Web Reputation Custom Settings. This allows you to override the web reputation settings from the Global Policy Group. |
Step 4 |
Verify the Enable Web Reputation Filtering field is checked. |
Step 5 |
Move the markers to change the range for URL drop, decrypt, and pass through actions. |
Step 6 |
In the Sites with No Score field, choose the action to take on request for sites that have no assigned Web Reputation Score. |
Step 7 |
Submit and Commit Changes. |
Configuring Web Reputation Filter Settings for Data Security Policy Groups
Procedure
Step 1 |
Choose Web Security Manager > Cisco Data Security. |
||
Step 2 |
Click the link under the Web Reputation column for the Data Security Policy group you want to edit. |
||
Step 3 |
Under the Web Reputation Settings section, choose Define Web Reputation Custom Settings. This allows you to override the web reputation settings from the Global Policy Group. |
||
Step 4 |
Move the marker to change the range for URL block and monitor actions. |
||
Step 5 |
Submit and Commit Changes.
|
Integrating the Appliance with Secure Endpoint AMP for Endpoints Console
You can integrate your appliance with Secure Endpoint console, and perform the following actions in Secure Endpoint console:
-
Create a simple custom detection list.
-
Add new malicious file SHAs to the simple custom detection list.
-
Create an application allowed list.
-
Add new file SHAs to the application allowed list.
-
Create a custom policy.
-
Attach the simple custom detection list and the application allowed list to the custom policy.
-
Create a custom group.
-
Attach the custom policy to the custom group.
-
Move your registered appliance from the default group to the custom group.
-
View the file trajectory details of a particular file SHA.
To integrate your appliance with Secure Endpoint console, you need to register your appliance with the console.
After the integration, when a file SHA is sent to the File Reputation server, the verdict obtained for the file SHA from the File Reputation Server is overridden by the verdict already available for the same file SHA in the Secure Endpoint console.
If a file SHA is already marked as malicious globally, and if the same file SHA is added to the blocked list in Secure Endpoint console, the file disposition is malicious.
The Secure Endpoint report page includes a new section - Incoming Malware Files by Category to view the percentage of block listed file SHAs received from the Secure Endpoint console that are displayed as Custom Detection. The threat name of a block listed file SHA is displayed as Simple Custom Detection in the Incoming Malware Threat Files section of the report. You can click the link in the More Details section of the report to view the file trajectory details of a block listed file SHA in the Secure Endpoint console.
The Secure Endpoint report page includes a new section - Incoming Malicious Files by Category to view the percentage of file SHAs on the blocked list received from the Secure Endpoint console that are displayed as Custom Detection. The threat name of a file SHA on the blocked list is displayed as Custom Detection in the Malicious Threat Files section of the report. To view the file trajectory details about a file SHA on the blocked list in the Secure Endpoint console, see .
Before you begin
Make sure you have a user account in Secure Endpoint console with admin access rights. For more details on how to create an Secure Endpoint console user account, contact Cisco TAC.
[For clustered configuration] In a clustered configuration, you can only register your logged-in appliance with Secure Endpoint console. If you have already registered your appliance with Secure Endpoint console in the standalone mode, make sure to deregister the appliance manually before you join it to a cluster.
Make sure you have enabled and configured File Reputation Filtering. See Enabling and Configuring File Reputation and Analysis Services to know how to enable and configure File Reputation Filtering.
Procedure
Step 1 |
Select Security Services > Anti-Malware and Reputation. |
||
Step 2 |
Click Edit Global Settings. |
||
Step 3 |
Click Register Appliance with Secure Endpoint in the Advanced Settings panel for File Reputation in the File Reputation and File Analysis page of the web interface. Once you click Register Appliance with Secure Endpoint, the Secure Endpoint console login page appears. |
||
Step 4 |
Click Register Appliance with Secure Endpoint in the Advanced Settings panel for File Reputation in the Anti-Malware Reputation page of the web interface. Once you click Register Appliance with Secure Endpoint, the Secure Endpoint console login page appears.
|
||
Step 5 |
Log in to the Secure Endpoint console with your user credentials. |
||
Step 6 |
Click Allow in the Secure Endpoint authorization page to register your appliance. Once you click Allow, the registration is complete, and it redirects you to the Anti-Malware Reputation page of your appliance. Your appliance name is displayed in the Secure Endpoint Console Integration field. You can use the appliance name to customize your appliance settings in the Secure Endpoint console page. |
What to do next
Next Steps:
-
You can go to Accounts > Applications section of the Secure Endpoint console page, to verify whether your appliance is registered with Secure Endpoint console. Your appliance name is displayed in the Applications section of the Secure Endpoint console page.
-
After registration, your appliance is added to the default group (Audit Group) which has a default policy (Network Policy) attached to it. The default policy contains file SHAs that are added to the blocked list or the allowed list. If you want to customize the Secure Endpoint settings for your appliance, and add your own file SHAs that are added to the blocked list or the allowed list, see the Secure Endpoint user documentation at https://console.amp.cisco.com/docs.
-
To deregister your appliance connection from Secure Endpoint console, you can click Deregister in the Advanced Settings for File Reputation section in your appliance, or you need to go to the Secure Endpoint console page at https://console.amp.cisco.com/. For more information, see the Secure Endpoint user documentation at https://console.amp.cisco.com/docs.
Note |
When you change your File Reputation server to a different data center, your appliance is automatically deregistered from the Secure Endpoint console. You must re-register your appliance with Secure Endpoint console with the same data center selected for the File Reputation server. |
Note |
If a malicious file SHA gets a clean verdict, then verify whether the same file SHA is added to the allowed list in Secure Endpoint console. |
Maintaining the Database Tables
The web reputation, Webroot, Sophos, and McAfee databases periodically receive updates from the Cisco update server. Server updates are automated and the update interval is set by the server.
The Web Reputation Database
The Secure Web Appliance maintains a filtering database that contains statistics and information about how different types of requests are handled. The appliance can also be configured to send web reputation statistics to a Cisco SensorBase Network server. SensorBase server information is leveraged with data feeds from the SensorBase Network and the information is used to produce a Web Reputation Score.
Logging of Web Reputation Filtering Activity and DVS Scanning
The access log file records the information returned by the Web Reputation Filters and the DVS engine for each transaction. The scanning verdict information section in the access logs includes many fields to help understand the cause for the action applied to a transaction. For example, some fields display the web reputation score or the malware scanning verdict Sophos passed to the DVS engine.
Logging Adaptive Scanning
Custom Field in Access Logs |
Custom Field in W3C Logs |
Description |
---|---|---|
%X6 |
x-as-malware-threat-name |
The anti-malware name returned by Adaptive Scanning. If the transaction is not blocked, this field returns a hyphen (“-”). This variable is included in the scanning verdict information (in the angled brackets at the end of each access log entry). |
Transactions blocked and monitored by the adaptive scanning engine use the ACL decision tags:
- BLOCK_AMW_RESP
- MONITOR_AMW_RESP
Caching
The following guidelines explain how AsyncOS uses the cache while scanning for malware:
- AsyncOS only caches objects if the entire object downloads. If malware is blocked during scanning, the whole object is not downloaded and therefore is not cached.
- AsyncOS scans content whether it is retrieved from the server or from the web cache.
- The length of time that content is cached varies with many factors - there is no default.
- AsyncOS rescans content when signatures are updated.
Malware Category Descriptions
Malware Type |
Description |
---|---|
Adware |
Adware encompasses all software executables and plug-ins that direct users towards products for sale. These programs may also change security settings making it impossible for users to make changes to their system settings. |
Browser Helper Object |
A browser helper object is a browser plug-in that may perform a variety of functions related to serving advertisements or hijacking user settings. |
Commercial System Monitor |
A commercial system monitor is a piece of software with system monitor characteristics that can be obtained with a legitimate license through legal means. |
Dialer |
A dialer is a program that utilizes your modem or another type of Internet access to connect you to a phone line or a site that causes you to accrue long distance charges to which you did not provide your full consent. |
Generic Spyware |
Spyware is a type of malware installed on computers that collects small pieces of information about users without their knowledge. |
Hijacker |
A hijacker modifies system settings or any unwanted changes to a user’s system that may direct them to a website or run a program without a users consent. |
Known Malicious and High-Risk Files |
These are files that were identified as threats by the Secure Endpoint file reputation service. |
Other Malware |
This category is used to catch all other malware and suspicious behavior that does not exactly fit in one of the other defined categories. |
Phishing URL |
A phishing URL is displayed in the browser address bar. In some cases, it involves the use of domain names and resembles those of legitimate domains. |
PUA |
Potentially Unwanted Application. A PUA is an application that is not malicious, but may be considered to be undesirable. |
System Monitor |
A system monitor encompasses any software that performs one of the following:
|
Trojan Downloader |
A trojan downloader is a Trojan that, after installation, contacts a remote host/site and installs packages or affiliates from the remote host. |
Trojan Horse |
A trojan horse is a destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves. |
Trojan Phisher |
A trojan phisher may sit on an infected computer waiting for a specific web page to be visited or may scan the infected machine looking for user names and passphrases. |
Virus |
A virus is a program or piece of code that is loaded onto your computer without your knowledge. |
Worm |
A worm is program or algorithm that replicates itself over a computer network and performs malicious actions. |