The Advanced Malware (APT) report shows a summary of the malware and malicious activity on your network that was detected by APT Blocker.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can show you the top instances of malware downloaded by users on your network. Here are some ways to use this report:
- Select the Recipient/Destination and Sender/Source pivots to identify the sender and recipient of malicious files and the connection source and destination.
- Select the Protocols, MIME Type, and Malicious Activity pivots to identify the protocols and file types used to introduce malicious files to your network, and to see the malicious behaviors associated with those files.
- Select the Activity Trend pivot to see malware activity over time.
- Select the Content Name pivot to see the names of files identified as malicious by APT Blocker and to troubleshoot files that cause false positives. If you identify files that cause false positives, add them to the File Exceptions list.
View the Report
This report is available in WatchGuard Cloud and in Dimension.
- Log in to WatchGuard Cloud.
- Select Monitor > Fireboxes.
The Device Manager page appears.
- From the Device Manager list, select a folder or a specific device.
- To select the report date range, click the Calendar .
- From the list of reports, select Services > Advanced Malware (APT).
The Advanced Malware (APT) report appears.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list appears.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list appears.
- Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page appears.
- Select the Reports tab.
- Select Services > Advanced Malware (APT).
The Advanced Malware (APT) report appears.
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Summary report of the trend of malware detected by APT Blocker over time.
Summary of the malware detected by APT Blocker, organized by content name. Includes allowed and denied hits.
Summary of the different types of malicious activity detected on your network by APT Blocker.
Summary of the MIME types used for malicious activity detected on your network by APT Blocker.
Summary of the protocols used for malicious activity detected on your network by APT Blocker.
Summary of the recipient names and destination addresses for malicious activity on your network.
Summary of the sender names and source addresses for malicious activity on your network.
Summary of the malware detected by APT Blocker, organized by the Threat ID.
Summary of the threat levels assigned to malicious activity on your network.
To view a detailed report of all malicious activity detected by APT Blocker, click the View Details link at the top of the report.
The Advanced Malware (APT) Detail report includes a row for each instance of malicious activity detected by APT Blocker:
|Disposition||The action taken by the Firebox for this traffic, such as Stripped or Allowed.|
|Time||Date and time that the event occurred.|
|Threat Level||Severity of the threat (High, Medium, or Low).|
|Threat ID||Identification number assigned to the threat.|
|Content Name||Name of the file or content that included the threat.|
|Source||IP address of the traffic source.|
|Destination||IP address of the traffic destination.|
|Policy||Name of the Firebox policy that examined the traffic.|
|Protocol||Protocol used to send the traffic.|
|Host||Host name used to send the traffic.|
|Sender||For SMTP, POP3, or IMAP protocols, the email address that sent the email.|
|Recipient||For SMTP, POP3, or IMAP protocols, the email address the email was sent to.|
|Hits||Number of attempts.|
|More Information||To see more detailed information (includes MD5 and Threat Level information), click Threat Details.|
To collect the data required for this report:
- In the General Settings for all proxy actions that have APT Blocker enabled, select Enable logging for reports.
- In all APT Blocker Actions, select the Log check boxes for threat levels you want to appear on the report. For more information, see Configure APT Blocker.