User Guide

ManualsBrandsCisco Manualsantivirus security softwareCisco Email Security Appliance C680

411

412

413

414

415

416

417

418

419

420

16-4

AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide

Chapter 16 File Reputation Filtering and File Analysis

Configuring File Reputation and Analysis Features

• Archive or Compressed File Processing, page 16-4

Archive or Compressed File Processing

If the file is compressed or archived,

• Reputation of the compressed or archive file is evaluated.

• The compressed or archive file is decompressed and reputations of all the extracted files are

evaluated.

For information about which archived and compressed files are examined, including file formats, see

File Criteria for Advanced Malware Protection Services for Cisco Content Security Products, available

from

http://www.cisco.com/c/en/us/support/security/email-security-appliance/products-user-guide-list.html.

In this scenario,

• If one of the extracted files is malicious, the file reputation service returns a verdict of Malicious for

the compressed or the archive file.

• If the compressed or archive file is malicious and all the extracted files are clean, the file reputation

service returns a verdict of Malicious for the compressed or the archive file.

• If the verdict of any of the extracted files is unknown, the extracted files are optionally (if configured

and the file type is supported for file analysis) sent for file analysis.

• If the extraction of a file fails while decompressing a compressed or an archive file, the file

reputation service returns a verdict of Unscannable for the compressed or the archive file. Keep in

mind that, in this scenario, if one of the extracted files is malicious, the file reputation service returns

a verdict of Malicious for the compressed or the archive file (Malicious verdict takes precedence

over Unscannable verdict).

Note Reputation of the extracted files with safe MIME types, for example, text/plain, are not

evaluated.

FIPS Compliance

File reputation scanning and file analysis are FIPS compliant.

Configuring File Reputation and Analysis Features

• Requirements for Communication with File Reputation and Analysis Services, page 16-5

• Enabling and Configuring File Reputation and Analysis Services, page 16-5

• Configuring the Incoming Mail Policy for File Reputation Scanning and File Analysis, page 16-6

• Quarantining Messages with Attachments Sent for Analysis, page 16-7

• Using the File Analysis Quarantine, page 16-8

• Centralized File Analysis Quarantine, page 16-10

• X-Headers for File Reputation and Analysis, page 16-10

• Sending Notifications to End Users about Dropped Messages or Attachments, page 16-10