簡介
本文檔介紹如何確定透過思科郵件安全裝置(ESA)上的高級惡意軟體防護(AMP)處理的檔案是否傳送以進行檔案分析,以及關聯的AMP日誌檔案提供什麼內容。
確定是否上載附件以進行檔案分析
啟用File Analysis後,File Reputation掃描的附件可能會被傳送到File Analysis以進行進一步分析。這提供了針對零日和有針對性的威脅的最高級別保護。檔案分析僅在啟用檔案信譽過濾時可用。
使用File Types選項以限制可能傳送到雲的檔案型別。傳送的特定檔案始終基於File Analysis Services Cloud的請求,該請求針對需要進行額外分析的那些檔案。當File Analysis Services Cloud達到容量時,可能會暫時停用特定檔案型別的檔案分析。
注意:請參閱思科內容安全產品高級惡意軟體防護服務的檔案標準思科文檔,以獲取最新資訊和附加資訊。
注意:請檢視發行說明和使用手冊,瞭解在您的裝置上運行的AsyncOS的特定版本,因為檔案分析檔案型別可能因AsyncOS的版本而異。
可傳送以進行檔案分析的檔案型別:
注意:如果「檔案分析」服務的負載超過容量,即使已選取檔案型別進行分析,某些檔案仍無法進行分析,否則檔案便可用於分析。當服務暫時無法處理特定型別的檔案時,您會收到警示。
突出顯示重要說明:
- 如果最近從任何來源上傳了檔案,將不會再次上傳檔案。對於此檔案的檔案分析結果,請在File Analysis reporting頁面中搜尋SHA-256。
- 裝置將嘗試上傳檔案一次;如果上傳不成功(例如由於連線問題),則可能無法上傳檔案。如果因為檔案分析伺服器超載而失敗,將會再次嘗試上傳。
配置用於檔案分析的AMP
預設情況下,當ESA首次打開且尚未與Cisco更新程式建立連線時,列出的唯一檔案分析檔案型別為「Microsoft Windows / DOS執行檔」。 您必須先允許完成服務更新,才能配置其他檔案型別。 這將會反映在updater_logs記錄檔中,顯示為「fireamp.json」:
Sun Jul 9 13:52:28 2017 Info: amp beginning download of remote file "http://updates.ironport.com/amp/1.0.11/fireamp.json/default/100116"
Sun Jul 9 13:52:28 2017 Info: amp successfully downloaded file "amp/1.0.11/fireamp.json/default/100116"
Sun Jul 9 13:52:28 2017 Info: amp applying file "amp/1.0.11/fireamp.json/default/100116"
要透過GUI配置檔案分析,請導航到安全服務>檔案信譽和分析>編輯全局設定……
要透過CLI配置用於檔案分析的AMP ,請輸入ampconfig > setup命令並完成響應嚮導。當您遇到以下問題時,必須選擇Y:是否要修改檔案分析的檔案型別?
myesa.local> ampconfig
File Reputation: Enabled
File Analysis: Enabled
File types selected for File Analysis:
Adobe Portable Document Format (PDF)
Microsoft Office 2007+ (Open XML)
Microsoft Office 97-2004 (OLE)
Microsoft Windows / DOS Executable
Other potentially malicious file types
Appliance Group ID/Name: Not part of any group yet
Choose the operation you want to perform:
- SETUP - Configure Advanced-Malware protection service.
- ADVANCED - Set values for AMP parameters (Advanced configuration).
- CLEARCACHE - Clears the local File Reputation cache.
[]> setup
File Reputation: Enabled
Would you like to use File Reputation? [Y]>
Would you like to use File Analysis? [Y]>
File types supported for File Analysis:
1. Archived and compressed [selected]
2. Configuration [selected]
3. Database [selected]
4. Document [selected]
5. Email [selected]
6. Encoded and Encrypted [selected]
7. Executables [partly selected]
8. Microsoft Documents [selected]
9. Miscellaneous [selected]
Do you want to modify the file types selected for File Analysis? [N]> y
Enter comma separated serial numbers from the "Supported" list. Enter "ALL" to select all "currently" supported File Types.
[1,2,3,4,5]> ALL
Specify AMP processing timeout (in seconds)
[120]>
Advanced-Malware protection is now enabled on the system.
Please note: you must issue the 'policyconfig' command (CLI) or Mail
Policies (GUI) to configure advanced malware scanning behavior for
default and custom Incoming Mail Policies.
This is recommended for your DEFAULT policy.
根據此配置,啟用的檔案型別受檔案分析(如果適用)的制約。
檢視檔案分析的AMP日誌
當附件由ESA上的檔案信譽或檔案分析掃描時,它們記錄在AMP日誌中。要檢視所有AMP操作的此日誌,請從ESA CLI運行tail amp,或透過tail或grep命令的響應嚮導。 如果您知道要在AMP日誌中搜尋的特定檔案或其他詳細資訊,grep命令將十分有用。
以下是範例:
mylocal.esa > tail amp
Press Ctrl-C to stop.
Tue Aug 13 17:28:47 2019 Info: Compressed/Archive File: sha256 = deace8ba729ad32313131321311232av2316623cfe9ac MID = 1683600, Extracted File: File Name = '[redacted].pdf', File Type = 'application/pdf', sha256 = deace8ba729ad32313131321311232av2316623cfe9ac, Disposition = LOWRISK, Response received from = Cloud, Malware = None, Analysis Score = 0, upload_action = Recommended to send the file for analysis
Thu Aug 15 13:49:14 2019 Debug: File reputation query initiating. File Name = 'amp_watchdog.txt', MID = 0, File Size = 12 bytes, File Type = text/plain
Thu Aug 15 13:49:14 2019 Debug: Response received for file reputation query from Cloud. File Name = 'amp_watchdog.txt', MID = 0, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82, upload_action = Recommended not to send the file for analysis
注意:舊版AsyncOS將在AMP日誌中顯示「amp_watchdog.txt」。 這是每10分鐘在日誌中顯示一次的OS檔案。此檔案是AMP的keep-alive的一部分,可以安全地忽略。 從AsyncOS 10.0.1和更新版本開始,此檔案處於隱藏狀態。
注意:較舊版本的AsyncOS將記錄upload_action標籤,該標籤具有三個為上載到檔案分析行為定義的值。
對舊版AsyncOS執行上載操作的三個響應:
- 「upload_action = 0」:信譽服務已知檔案;不傳送進行分析。
- "upload_action = 1":傳送
- 「upload_action = 2」:信譽服務已知檔案;不傳送進行分析
在AsyncOS版本12.x及更高版本上執行上傳操作的兩個響應:
- 「upload_action =建議傳送檔案進行分析」
- 僅限調試日誌:「upload_action =建議不要傳送檔案進行分析」
此響應指示是否傳送檔案進行分析。同樣,它必須符合已配置檔案型別的標準,才能成功提交。
上傳動作標籤的說明
"upload_action = 0": The file is known to the reputation service; do not send for analysis.
對於「0」,這意味著檔案「不需要傳送以進行上傳」。或者,更好的檢視方式是,可以在需要時將檔案傳送至File Analysis進行上載。 但是,如果不需要該檔案,則不會傳送該檔案。
"upload_action = 2": The file is known to the reputation service; do not send for analysis
對於「2」,這是嚴格的「不傳送」上傳檔案。 此操作是最終的決定性的,並且檔案分析處理已完成。
範例案例
本節說明檔案上傳後可正確分析,或因特定原因而未上傳的可能案例。
已上傳檔案以供分析
舊版AsyncOS:
本示例顯示一個滿足條件並帶有upload_action = 1標籤的DOCX檔案。在下一行,上傳用於分析的安全雜湊演算法(SHA)的檔案也會記錄到AMP日誌中。
Thu Jan 29 08:32:18 2015 Info: File reputation query initiating. File Name = 'Lab_Guide.docx', MID = 860, File Size = 39136 bytes, File Type = application/msword
Thu Jan 29 08:32:19 2015 Info: Response received for file reputation query from Cloud. File Name = 'Royale_Raman_Lab_Setup_Guide_Beta.docx', MID = 860, Disposition = file unknown, Malware = None, Reputation Score = 0, sha256 = 754e3e13b2348ffd9c701bd3d8ae96c5174bb8ebb76d8fb51c7f3d9567ff18ce, upload_action = 1
Thu Jan 29 08:32:21 2015 Info: File uploaded for analysis. SHA256: 754e3e13b2348ffd9c701bd3d8ae96c5174bb8ebb76d8fb51c7f3d9567ff18ce
AsyncOS 12.x及更高版本:
此範例顯示符合條件且標籤為upload_action = Recommended的PPTX檔案,以傳送檔案進行分析。在下一行,上傳用於分析的安全雜湊演算法(SHA)的檔案也會記錄到AMP日誌中。
Thu Aug 15 09:42:19 2019 Info: Response received for file reputation query from Cloud. File Name = 'ESA_AMP.pptx', MID = 1763042, Disposition = UNSCANNABLE, Malware = None, Analysis Score = 0, sha256 = 0caade49103146813abaasd52edb63cf1c285b6a4bb6a2987c4e32, upload_action = Recommended to send the file for analysis
Thu Aug 15 10:05:35 2019 Info: File uploaded for analysis. SHA256: 0caade49103146813abaasd52edb63cf1c285b6a4bb6a2987c4e32, file name: ESA_AMP.pptx
檔案尚未上傳以進行分析,因為檔案已知
舊版AsyncOS:
本示例顯示一個AMP掃描的PDF檔案,並在檔案信譽日誌後增加upload_action = 2。雲已知道此檔案,因此不需要上傳該檔案進行分析,因此不會再次上傳。
Wed Jan 28 09:09:51 2015 Info: File reputation query initiating. File Name = 'Zombies.pdf', MID = 856, File Size = 309500 bytes, File Type = application/pdf
Wed Jan 28 09:09:51 2015 Info: Response received for file reputation query from Cache. File Name = 'Zombies.pdf', MID = 856, Disposition = malicious, Malware = W32.Zombies.NotAVirus, Reputation Score = 7, sha256 = 00b32c3428362e39e4df2a0c3e0950947c147781fdd3d2ffd0bf5f96989bb002, upload_action = 2
AsyncOS 12.x及更高版本:
此示例顯示amp_watchdog.txt檔案,其中調試級別的amp日誌與upload_action = Recommended to send the file for analysis匹配,該檔案附加到檔案信譽日誌。雲已知道此檔案,因此不需要上傳該檔案進行分析,因此不會再次上傳。
Mon Jul 15 17:41:53 2019 Debug: Response received for file reputation query from Cache. File Name = 'amp_watchdog.txt', MID = 0, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = a5f28f1fed7c2fe88bcdf403710098977fa12c32d13bfbd78bbe27e95b245f82, upload_action = Recommended not to send the file for analysis
透過電子郵件標頭上傳記錄檔案分析
在CLI中,使用命令logconfig的選項,可以選擇logheaders的子選項以列出和記錄透過ESA處理的電子郵件的標頭。使用「X-Amp-File-Uploaded」標頭,每當上傳或未上傳檔案進行檔案分析時,都將記錄到ESA的郵件日誌中。
檢視郵件日誌,檢視上傳用於分析的檔案的結果:
Mon Sep 5 13:30:03 2016 Info: Message done DCID 0 MID 7659 to RID [0] [('X-Amp-File-Uploaded', 'True')]
檢視郵件日誌,檢視未上傳進行分析的檔案結果:
Mon Sep 5 13:31:13 2016 Info: Message done DCID 0 MID 7660 to RID [0] [('X-Amp-File-Uploaded', 'False')]
相關資訊