2 Replies Latest reply on Jul 27, 2015 2:31 AM by lpp

    Antimalware.MATD.GetReport possible usage

    lpp

      In WebGateway 7.4, amongst the properties available to build a rule criteria, Antimalware.MATD.GetReport apparently doesn't seem to be very effective.

       

      Actually, withtin a Web Gateway - Advanced Threat Defence integration one would think that through this property a query to existing results (including blacklist) on the ATD would be possible. But then how to use these results?

       

      How can MWG query ATD to check for a file hash against previous analysis, without submitting the entire file. Antimalware.MATD.GetReport seems to be the proper way to proceed, but then in case a report is available and downloaded, how to get its result?

        • 1. Re: Antimalware.MATD.GetReport possible usage

          Antimalware.MATD.GetReport property returns true and sets other properties of AV family like Antimalware.Infected and Antimalware.MATD.Report if it was able to download an existing report for the current body.

           

          rule 1: check if a recent report can be downloaded

          condition: Antimalware.MATD.GetReport<atd config> equals false

          action: stop rule set

           

          rule 2: evaluate results. Here cached values are used

          condition: Antimalware.MATD.Probability greater than 0

          action: block

          • 2. Re: Antimalware.MATD.GetReport possible usage
            lpp

            Andrej, you are perfectly right.

             

            These properties work well together, although the results are obtained from Web Gateway's cache only, without actually querying the ATD appliance for its archive.

             

            Thank you and best regards.