The Virus report displays information on malware stopped by the Gateway AntiVirus and IntelligentAV security services. You can use this report to see the most common viruses that Gateway AntiVirus and IntelligentAV deny, and see information about how the viruses attempt to enter your network.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can help you identify areas where viruses could potentially enter your network so that you can take action. Here are some ways to use this report:
- Select the Virus (GAV) or Virus (IAV) pivot to identify the types of viruses that are stopped by Gateway AntiVirus and IntelligentAV. You can also use this data to troubleshoot false positives (safe files that Gateway AntiVirus or IntelligentAV incorrectly identifies as a virus). If you identify files that cause false positives, add them to the File Exceptions list.
- Select the Activity Trend pivot to compare the number of files scanned with the number of viruses detected over time.
- Select the Host (HTTP) pivot to identify host computers that cause viruses to enter the network.
- Select the Protocol pivot to identify the protocols and policies that allow viruses to enter the network.
- Select the Email Sender pivot to identify email addresses that most frequently send emails that contain viruses to your users. If you want to deny all emails from a specific sender, you can configure the Address: Mail From ruleset in the SMTP-proxy. For more information, see SMTP-Proxy: Mail From/Rcpt To.
View the Report
This report is available in WatchGuard Cloud and in Dimension.
- Log in to WatchGuard Cloud.
- Select Monitor > Devices.
- Select a folder or a specific device.
- To select the report date range, click .
- From the list of reports, select Services > Virus.
The Virus report opens.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list opens.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list opens.
- Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page opens.
- Select the Reports tab.
- Select Services > Virus (GAV).
The Virus report opens.
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Lists the names of viruses stopped by Gateway AntiVirus. A chart shows the number of times each virus was stopped. For each virus, the report shows the number of allowed and denied hits, and the percentage of all hits.
Lists the names of viruses stopped by IntelligentAV. A chart shows the number of times each virus was stopped. For each virus, the report shows the number of allowed and denied hits, and the percentage of all hits.
Shows the trend of the total traffic scanned by Gateway AntiVirus compared to traffic where Gateway AntiVirus detected a virus. For each time period, the report shows the number of viruses detected and items scanned.
Summary of the Gateway AntiVirus actions, organized by host computer. For each host, the report shows the number of allowed and denied hits, and the percentage of all hits.
Summary of the Gateway AntiVirus actions, organized by the protocol used for the traffic. For each protocol, the report shows the number of allowed and denied hits, and the percentage of all hits.
Summary of the Gateway AntiVirus actions, organized by the email address that sent the message. For each email address, the report shows the number of allowed and denied hits, and the percentage of all hits. Available for the SMTP and POP3 proxies.
To view a detailed report of all Gateway AntiVirus actions, click View Details at the top of the report.
The Virus Detail report includes a row for each action taken by Gateway AntiVirus and IntelligentAV and displays this information:
|Disposition||Action taken by Gateway AntiVirus or IntelligentAV, such as Allowed or Dropped|
|Time||Date and time that Gateway AntiVirus took the action|
|Virus||Name of the virus that was stopped by Gateway AntiVirus or IntelligentAV|
|Source||IP address of the traffic source|
|Destination||IP address of the traffic destination|
|Policy||Name of the Firebox policy that examined the traffic|
|Protocol||Protocol used to send the traffic|
|Sender||For email protocols, the email address of the sender|
|Recipient||For email protocols, the email address of the recipient|
|Hits||Number of hits|
Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences.
To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager:
- In the General Settings for all proxy actions that have Gateway AntiVirus enabled, select Enable logging for reports.
- When you configure Gateway AntiVirus for a proxy action, select the Log check boxes for all Gateway AntiVirus actions. For more information, see Configure Gateway AntiVirus Actions.