cancel
Showing results for 
Search instead for 
Did you mean: 
lpp
Level 7

Antimalware.MATD.GetReport possible usage

Jump to solution

In WebGateway 7.4, amongst the properties available to build a rule criteria, Antimalware.MATD.GetReport apparently doesn't seem to be very effective.

Actually, withtin a Web Gateway - Advanced Threat Defence integration one would think that through this property a query to existing results (including blacklist) on the ATD would be possible. But then how to use these results?

How can MWG query ATD to check for a file hash against previous analysis, without submitting the entire file. Antimalware.MATD.GetReport seems to be the proper way to proceed, but then in case a report is available and downloaded, how to get its result?

0 Kudos
1 Solution

Accepted Solutions
amart
Level 9

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

0 Kudos
2 Replies
amart
Level 9

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

rule 1: check if a recent report can be downloaded

condition: Antimalware.MATD.GetReport<atd config> equals false

action: stop rule set

rule 2: evaluate results. Here cached values are used

condition: Antimalware.MATD.Probability greater than 0

action: block

0 Kudos
lpp
Level 7

Re: Antimalware.MATD.GetReport possible usage

Jump to solution

Andrej, you are perfectly right.

These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

Thank you and best regards.

0 Kudos