Applies To: Cloud-managed Fireboxes, Locally-managed Fireboxes
The Zero Day Malware (APT) report shows a summary of all the threats identified by APT Blocker as zero-day malware (not identified until after the traffic passed through the firewall).
When APT Blocker encounters a file that it has not seen or analyzed before, it submits the file to the data center for analysis in a sandbox environment. For proxies other than the SMTP and IMAP proxies, the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, the device generates a log message and the file will appear on the Zero-Day Malware (APT) report.
This report is available when log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report, follow the steps to Enable Logging for this Report.
How to Use this Report
This report can show you the zero-day malware downloaded by users on your network. Here are some ways to use this report:
- Click View Details to see details of all downloaded zero-day malware and use the information to identify and respond to the threats.
- Select the Recipient/Destination pivot to identify the recipients of zero-day malware files.
- Select the Content Name or Threat ID pivots to see the names of files that APT Blocker identified as zero-day malware.
View the Report
This report is available in WatchGuard Cloud and in Dimension.
- Log in to WatchGuard Cloud.
- Select Monitor > Devices.
- Select a folder or a specific device.
- To select the report date range, click
.
- From the list of reports, select Services > Zero-Day Malware (APT).
The Zero-Day Malware (APT) report opens.
- To see reports for your Fireboxes or FireClusters, select Home > Devices.
The Devices list opens.
To see reports for your groups of Fireboxes, select Home > Groups.
The Groups list opens. - Select the Name of a Firebox, cluster, or group.
The Tools > Executive Dashboard page opens. - Select the Reports tab.
- Select Services > Zero-Day Malware (APT).
The Zero-Day Malware (APT) report opens.
Pivots
You can use pivots to change the view of the data on the report.
To switch to a different view, select a pivot from the drop-down list above the report.
This report includes these pivots:
Content Name
Summary of the malware identified as Zero-Day Malware by APT Blocker, organized by content name.
Recipient/Destination
Summary of the recipient names and destination addresses for activity on your network identified as zero-day malware by APT Blocker.
Threat ID
Summary of the malware identified as zero-day malware by APT Blocker, organized by the Threat ID.
Threat Level
Summary of the threat levels assigned to activity on your network identified as zero-day malware by APT Blocker.
Zero-Day Malware (APT) Report Detail View
To view a detailed report of threats identified by APT Blocker as zero-day malware after the traffic passed through the firewall, click View Details at the top of the report.
The Zero-Day Malware (APT) Detail report includes a row for each instance of zero-day malware identified and shows this information:
| Column | Description |
|---|---|
| Disposition | Action taken by the Firebox for this traffic, such as Stripped or Allowed |
| Time | Date and time when the event occurred |
| Threat Level | Severity of the threat (High, Medium, or Low) |
| Threat ID | Identification number assigned to the threat |
| Content Name | Name of the file or content that included the threat |
| Source | IP address of the traffic source |
| Destination | IP address of the traffic destination |
| Policy | Name of the Firebox policy that examined the traffic |
| Protocol | Protocol used to send the traffic |
| Host | Host name used to send the traffic |
| Sender | For SMTP, POP3, or IMAP protocols, the email address that sent the email |
| Recipient | For SMTP, POP3, or IMAP protocols, the email address the email was sent to |
| Hits | Number of attempts |
| More Information | To see more detailed information (includes MD5 and Threat Level information), click Threat Details. |
Enable Logging for this Report
Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences.
To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager:
- In the General Settings for all proxy actions that have APT Blocker enabled, select Enable logging for reports.
- In all APT Blocker Actions, select the Log check boxes for threat levels you want to appear on the report. For more information, see Configure APT Blocker.