The Zero Day Malware (APT) report shows a summary of all the threats identified by APT Blocker as zero-day malware (not identified until after the traffic passed through the firewall).
When APT Blocker encounters a file that it has not seen or analyzed before, it submits the file to the data center for analysis in a sandbox environment. For proxies other than the SMTP and IMAP proxies, the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, the device generates a log message and the file will appear on the Zero-Day Malware (APT) report.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can show you the zero-day malware downloaded by users on your network. Here are some ways to use this report:
- Click View Details to see details of all downloaded zero-day malware and use the information to identify and respond to the threats.
- Select the Recipient/Destination pivot to identify the recipients of zero-day malware files.
- Select the Content Name or Threat ID pivots to see the names of files that APT Blocker identified as zero-day malware.
- Select the Malicious Activity pivot to see the malicious behaviors associated with zero-day malware.
View the Report
This report is available in WatchGuard Cloud and in Dimension.
- Log in to WatchGuard Cloud.
- Select Monitor > Fireboxes.
The Device Manager page appears.
- From the Device Manager list, select a folder or a specific device.
- To select the report date range, click the Calendar .
- From the list of reports, select Services > Zero-Day Malware (APT).
The Zero-Day Malware (APT) report appears.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list appears.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list appears.
- Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page appears.
- Select the Reports tab.
- Select Services > Zero-Day Malware (APT).
The Zero-Day Malware (APT) report appears.
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Summary of the malware identified as Zero-Day Malware by APT Blocker, organized by content name.
Summary of the malicious activity on your network that was identified as zero-day malware by APT Blocker.
Summary of the recipient names and destination addresses for activity on your network identified as zero-day malware by APT Blocker.
Summary of the malware identified as zero-day malware by APT Blocker, organized by the Threat ID.
Summary of the threat levels assigned to activity on your network identified as zero-day malware by APT Blocker.
To view a detailed report of threats identified by APT Blocker as zero-day malware after the traffic passed through the firewall, click the View Details link at the top of the report.
The Zero-Day Malware (APT) Detail report includes a row for each instance of zero-day malware identified and shows this information:
|Disposition||The action taken by the Firebox for this traffic, such as Stripped or Allowed.|
|Time||Date and time that the event occurred|
|Threat Level||Severity of the threat (High, Medium, or Low).|
|Threat ID||Identification number assigned to the threat|
|Content Name||Name of the file or content that included the threat.|
|Source||IP address of the traffic source.|
|Destination||IP address of the traffic destination.|
|Policy||Name of the Firebox policy that examined the traffic.|
|Protocol||Protocol used to send the traffic.|
|Host||Host name used to send the traffic|
|Sender||For SMTP, POP3, or IMAP protocols, the email address that sent the email.|
|Recipient||For SMTP, POP3, or IMAP protocols, the email address the email was sent to.|
|Hits||Number of attempts.|
|More Information||To see more detailed information (includes MD5 and Threat Level information), click Threat Details.|
To collect the data required for this report:
- In the General Settings for all proxy actions that have APT Blocker enabled, select Enable logging for reports.
- In all APT Blocker Actions, select the Log check boxes for threat levels you want to appear on the report. For more information, see Configure APT Blocker.