Contents

Zero-Day Malware (APT) Report

The Zero Day Malware (APT) report shows a summary of all the threats identified by APT Blocker as zero-day malware (not identified until after the traffic passed through the firewall).

When APT Blocker encounters a file that it has not seen or analyzed before, it submits the file to the data center for analysis in a sandbox environment. For proxies other than the SMTP and IMAP proxies, the connection is allowed while the device waits for the result of the analysis. When the result is returned, if there is evidence of malware activity in the file, the device generates a log message and the file will appear on the Zero-Day Malware (APT) report.

This report is available only if log messages with data for this report exist in the specified time frame. To make sure that your Firebox sends log messages required to generate this report , follow the steps to Enable Logging for this Report.

How to Use this Report

This report can show you the zero-day malware downloaded by users on your network. Here are some ways to use this report:

  • Click View Details to see details of all downloaded zero-day malware and use the information to identify and respond to the threats.
  • Select the Recipient/Destination pivot to identify the recipients of zero-day malware files.
  • Select the Content Name or Threat ID pivots to see the names of files that APT Blocker identified as zero-day malware.
  • Select the Malicious Activity pivot to see the malicious behaviors associated with zero-day malware.

View the Report

This report is available in WatchGuard Cloud and in Dimension.

Pivots

You can use pivots to change the view of the data on the report.

To switch to a different view, select a pivot from the drop-down list above the report.

This report includes these pivots:

Content Name

Summary of the malware identified as Zero-Day Malware by APT Blocker, organized by content name.

Malicious Activity

Summary of the malicious activity on your network that was identified as zero-day malware by APT Blocker.

Recipient/Destination

Summary of the recipient names and destination addresses for activity on your network identified as zero-day malware by APT Blocker.

Threat ID

Summary of the malware identified as zero-day malware by APT Blocker, organized by the Threat ID.

Threat Level

Summary of the threat levels assigned to activity on your network identified as zero-day malware by APT Blocker.

Detail View

To view a detailed report of threats identified by APT Blocker as zero-day malware after the traffic passed through the firewall, click the View Details link at the top of the report.

Screen shot of View Details link in a report

The Zero-Day Malware (APT) Detail report includes a row for each instance of zero-day malware identified and shows this information:

Column Description
Disposition The action taken by the Firebox for this traffic, such as Stripped or Allowed.
Time Date and time that the event occurred
Threat Level Severity of the threat (High, Medium, or Low).
Threat ID Identification number assigned to the threat
Content Name Name of the file or content that included the threat.
Source IP address of the traffic source.
Destination IP address of the traffic destination.
Policy Name of the Firebox policy that examined the traffic.
Protocol Protocol used to send the traffic.
Host Host name used to send the traffic
Sender For SMTP, POP3, or IMAP protocols, the email address that sent the email.
Recipient For SMTP, POP3, or IMAP protocols, the email address the email was sent to.
Hits Number of attempts.
More Information To see more detailed information (includes MD5 and Threat Level information), click Threat Details.

Enable Logging for this Report

To collect the data required for this report:

  • In the General Settings for all proxy actions that have APT Blocker enabled, select Enable logging for reports.
  • In all APT Blocker Actions, select the Log check boxes for threat levels you want to appear on the report. For more information, see Configure APT Blocker.

See Also

WatchGuard Cloud Device Reports List

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search