The Malware Blocked report shows identified and blocked traffic containing malware or viruses. Traffic identified as malware is blocked. You can search outbound or inbound malware, or malware that came from both directions. Use outbound malware logs to identify the IP addresses that generated the malware from within your organization.
To view blocked malware logs:
1. Select the Logs tab, then select the Malware Blocked subtab.
2. Specify the groups to include in the logs (deleted groups are displayed with the ** prefix). Select All Groups; or, to specify one or more groups:
l Click to select a single group.
l Shift-click or click and drag to select contiguous groups.
l Ctrl-click to select non-contiguous groups.
3. Select one or more dates from the last 90-day period:
l Click to select a single date.
l Shift-click or click and drag to select contiguous dates.
l Ctrl-click to select non-contiguous dates.
Filters
URL 1. Select the checkbox and specify a search option:
l Contains returns URL addresses containing the string in the text box.
l Does not contain returns URL addresses that don’t have the string in the text box.
l RegExp returns URL addresses typed in the form of a regular expression.
2. Type the string in the text box to be matched based on the criteria. Type a minimum of one character.
3. Specify whether the search applies to domain only, or to the domain and full path. An example of a domain ishttp://streamerapi.finance.yahoo.com
An example of a domain and path is
http:// streamerapi.finance.yahoo.com/1.0
Time 1. Select the checkbox and specify a search option:
l Between returns logs on activity that occurred within the specified time range.
l Not between returns logs on activity that occurred outside (before and after) the specified time range.
2. Enter the starting time in the first text box. For time, use the following 24-hour format:hh:mmwherehhis from 00 to 23 andmmis from 00 to 59.
Examples of valid time formats:08:00or13:30.
3. Enter the ending time in the second text box. This value must be at least one minute from the starting time. For example, if starting time is 04:03, ending time must be at least 04:04. If your starting and ending times are 04:04 to 04:04, no records are returned even if data exists for 04:04:22.
-179
-WSS 4.4.0-2
Filters
User 1. Select the checkbox and specify a search option:
l Contains returns logs on users whose name contains the text string you provide.
l Does not contain excludes users whose name contains the text string you provide.
l Equals returns logs on the user whose name exactly matches the text string you provide.
l Does not equal returns logs on users whose names do not exactly match the text string you provide.
2. Type a text string of up to 64 characters, the maximum length for user names, in the text box to be matched based on the criteria. Valid characters are a to z, A to Z, and 0 to 9.
IP 1. Select the checkbox and specify a search option:
l Contains returns logs on IP addresses that contain the numeric string you provide.
l Does not contain excludes IP addresses that do not contain the numeric string you provide.
l Equals returns logs on the IP address that exactly matches the numeric string you provide.
l Does not equal returns logs on IP addresses that do not exactly match the numeric string you provide.
2. Type a numeric string in the text box to be matched based on the criteria.
Valid characters are 0 to 9 and the dot separator.
File Type 1. Click the checkbox to use this filter.
2. Select a file type from the drop-down list.
Malware This filter refers to the direction of malware traffic. Select one:
l All (inbound and outbound)
l Inbound malware only
l Outbound malware only
To change the number of returned records:
1. Open the Max Results drop-down menu and select the number of records to display for the search.
Note that the Filter text box is disabled if you set the Max Results value to 200. To use the Filter box, select another Max Results value.
2. Click Search. Matching records are displayed in tabular format.
The following table describes the data displayed by Malware Blocked logs.
Malware Blocked data
Date The date you selected for the log. If you selected multiple dates, the log allocates one row per date.
Time The time the user performed a particular web activity that is being tracked for quota.
Group Name The group to which the user belongs.
User Name The name of the user being tracked for usage.
IP Address The IP address from which traffic was generated.
Note: If the log is about outbound malware, the IP address is located within your organization.
Category The requested URL’s category. Displays Unknown if the URL has no category. See"Category descriptions " on page 78.
File Type The file type that was downloaded or uploaded. See"Blocking file types"
on page 101.
File URL The URL address that is the source of the downloaded file or the destination of the uploaded file.
Malware Name The name of the malware (for example, storm.gen).
Malware Category Displays the malware category. For example, malware called storm.gen would have the category or type Trojan Horse.
Malware Direction Displays inbound for downloaded malware or outbound for uploaded malware. If outbound, use the IP address to identify the system that has the malware.
-181
-WSS 4.4.0-2