Triton RiskVision, Руководство по установке

Страница: 24 / 26

Initial Setup
20

Websense TRITON RiskVision
Understanding the process of analysis:
1. When RiskVision identifies files in HTTP or SMTP transactions, it sends them to
the local, on-box analytics to determine whether the files contain suspicious or
malicious content.
2. File content is analyzed by the Data Analysis Engine to identify potentially
sensitive information that is being transferred out of your network.
The policies and rules used to identify sensitive content are based on the profile
that you configure on the
System > Data Profile page in the Local Manager. By
default, data analysis is used to identify Payment Card Industry (PCI) information
in file content.
3. Files whose formats are supported by the cloud File Sandbox are also submitted
for sandboxing analysis, which uses virtual machines to replicate the behavior of
those files when opened. File sandboxing can be used to analyze:

Executable files

PDF files

Microsoft Office files (like DOCX, XLSX, and so on)
4. Both on-box and cloud analytics return a Threat Level of malicious, suspicious,
or no threat detected for each file analyzed.
When the result is returned from the cloud File Sandbox, the Threat Level value is
a link to a cloud-based report with detailed information about the analysis that was
performed and the reason for the threat level that was assigned.
5. The File Analysis table is also updated with data analysis results that show any
identified policy violations, including information about some of the strings that
triggered the violation.
You can export the data shown on the Incidents page to a CSV file to perform further
analysis in third-party reporting tools.
In addition, you can use the Reporting page in the Local Manager to generate PDF or
RTF reports with information about specific types of malicious activity (like exploit