How can I tell if Content Analysis has found a file in the whitelist?
Last Updated May 13, 2017
Whitelisting has just been enabled, how can I tell if it is working correctly?
A simple way of confirming that Content Analysis is checking against the whitelisting database is to look inside the Content Analysis system log. To see the information related to whitelisting, you'll need to first set whitelisting module to debug mode
Then use the test utility to upload a file, make sure it is one that Content Analysis has been configured to scan
Now go to the utilities tab and check the CAS log for an entry confirming the whitelisting score returned by the database.
Please also be aware of this alternate method of verifying that WhiteListing has been enabled on your Content Analysis System or virtual appliance.
To understand this process, and why the following information can help, a brief explanation of the order a CA processes objects will help.
When an object comes into the CA, it first checks GIN, or Global Intelligent Network which was called WebPulse, or the Blue Coat Web Filter (BCWF), which on Content Analysis (CA) is called WhiteListing.
Knowing GIN is accessed first gives us a hint about what we are looking for in the logs, or in an alert that has denied a file. That hint is primarily in the information contained in the alert, or logs if an alert is not generated. Note: If the log level isn't raised, successful, or passed objects won't be shown, so finding files that are blocked is the only way to see if WhiteListing is working or not.
So, the alert for WhiteListing will have sections that say something about the AV Vendor being unknown, as will other parameters be explained, too. That is not an error though it could be confusing, unless you follow this KB and know the order CA processes an object:
Object received from ProxySG appliance via ICAP
AV Vendor selected, in this order if more than 1 (hardcoded order):
Sandboxing (if you have a configured BC Malware Analysis or FireEye appliance)
WebPulse (report the score if either AV or Sandboxing were used/needed)
If the object is given a score in step #2, the alert corresponding to that score is sent. Because the AV vendor wasn't used, the fields telling you the AV vendor, engine and pattern IDs, etc. are blank, or say "unknown". You have your answer. WhiteListing is working as advertised.
If you have further questions, please ask your support contact at Blue Coat.
Imported Document ID: 000009952
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.