Updated on 2024-01-24 GMT+08:00

Malicious Files

Context

Huawei Qiankun determines the detection type of a threat event based on logs provided by the device. If the detection type is AV/CDE, the threat event is identified as a malicious file event.

If the malicious file is blocked when the device detects it, the status of the malicious file event is Blocked. If the malicious file is not blocked when the device detects it, the status of the malicious file event is Unhandled.

For malicious files that are in Blocked or Unhandled state, Huawei Qiankun can send SMS and email alarms to notify tenants or deliver an IP address blacklist.

Tenants need to handle the malicious files in Unhandled state and mark them as Manually handled or Ignored.

Procedure

  1. Log in to the Huawei Qiankun console, and choose > My Services > Border Protection and Response.
  2. Click Threat Events in the menu bar.
  3. Check the overview of malicious files, and click a number or View More to view details.

    Figure 1 Overview of malicious files

  4. Mark the status of unhandled malicious files.

    • Manually handled

      Tenants manually handle specific events, for example, searching for and clearing malicious files based on the source and destination addresses of events, and file names.

      After confirming that malicious files have been cleared from hosts, mark the events as Manually handled in the Operation column.

    • Ignored

      If the events are false positives or do not need to be handled, mark the events as Ignored in the Operation column.

    If you do not know how to handle the problem or the problem persists after you handle it, contact the corresponding Managed Security Service Provider (MSSP) or channel partner.

Follow-up Procedure

  • On the Malicious Files page, you can click an event name to view details of the malicious file event.
    Figure 2 Malicious Files page

  • The Malicious File Details page contains Handling Suggestions, Operation Records, and Threat Analysis.
    Figure 3 Malicious File Details page

    On the Malicious File Details page, the event names and malicious file information may contain public IP addresses, helping you learn about threat events. The service does not proactively initiate connections to these public IP addresses.