Riskware

The riskware detection feature allows you to identify files that are similar to malware but are not intended to be malicious. A file that is not a threat might display behavior that might affect threat detection, such as installing unwanted programs, modifying system settings, or reducing the overall performance of the appliance. Types of riskware include Potentially Unwanted Programs (PUPs), Potentially Unwanted Applications (PUAs), adware, and hacker tools. This feature allows you to easily distinguish between malicious files and riskware on the Malware Analysis appliance. You can configure optional riskware detection so that the Multi-Vector Virtual Execution (MVX) engine does not mark the riskware files as malicious, and the files will be excluded from further analysis. The submission status for a riskware alert is marked as Riskware in the output of the show submission id command.

When riskware detection is enabled on the appliance, you can also enable riskware detection custom policy rules. When you enable at least one matched policy rule on the Malware Analysis appliance, you can have the appliance generate a riskware alert on a nonmalicious submission. For details about how to enable or disable riskware detection custom policy rules, see Enabling or Disabling Riskware Detection Custom Policy Rules .

Task List for Managing Riskware

Complete the steps for managing riskware in the following order:

Log in to the CLI to specify the settings for riskware detection.
(Optional) Enable AV-Check on the appliance. For details about how to enable AV-Check, see Enabling or Disabling AV-Check.
(Optional) Verify that AV-Suite integration is enabled on the appliance. Use the show static-analysis config command.
(Optional) Verify that the appliance is configured to perform YARA analysis. Use the show static-analysis config command.
Enable riskware detection. For details about how to enable riskware detection, see or Enabling or Disabling Riskware Detection Custom Policy Rules Using the CLI.