On the Web Gateway, you can implement rule sets with rules for logging information about the scanning jobs that Trellix VX performs and for handling errors that occur during these jobs.
NOTE: You can also review Trellix VX activities on the dashboard of the user interface.
Following are the rulesets and its functionalities related to Trellix VX:
- The Trellix VX Scanning Log rule set can be imported from the Logging group of rule sets in the ruleset library.
- The rule set contains a logging rule that records information about each scanning job Trellix VX performs on a web object that was passed on to it by Web Gateway.
- This information includes:
- If the result of scanning is malicious or not
- Server that VX runs on
- UUID of the scanning job
- Hash value of the scanning job
- To create the log entries that provide this information, the rule uses suitable properties.
- The Block on VX Errors rule set can be imported from the Error Handling group of rule sets in the rule set library.
- It contains blocking rules for handling errors that occur when Trellix VX performs a scanning job.
- The rules use the appropriate error IDs in their criteria. The error IDs range from 14016 to 14021.
- A rule in the Block on Anti-Malware Engine Errors ruleset covers the range from 14002 to 14050. The Block on VX Errors ruleset should, therefore, be placed before this anti-malware rule set.
- Otherwise, the blocking rules in the Block on VX Errors ruleset would never be processed and only block messages with text that is related to anti-malware errors in general would be sent to users.
The dashboard charts and tables show how the following data evolved during a particular time interval.
Under Executive Summary: Number of requests for web objects that were blocked due to the scanning results found by VX.
Under Malware Statistics: Number of requests for web objects that were passed on to VX for scanning, number of requests that were blocked due to the scanning results, and the time consumed for the scanning.
- Connection traces can be used to see the connectivity between SWG and the Trellix VX server.
- The API requests sent can also be tracked with the connection traces.
Monitoring the use of Trellix Virtual Execution on Content Security Reporter
- With Skyhigh Content Security Reporter, you can collect data about the scanning activities that Trellix VX performs when it is used to support Web Gateway.
- To collect the data, configure both Web Gateway and Trellix VX as log sources.
- To view the data, register the server that Trellix VX runs on. You can then view the data on the dashboard monitor.