We have an on-premise Sandblast. 'Tecli s s' shows that 'scanned files' and 'scanned files remotely' is the same, 6215. However, when I run the same command on the Sandblast it shows a different number, 172. Shouldn't those two be the same - 6215 on both? From what I can read the Threat Extraction is being done on the firewall, while the Threat Emulation is being done on the sandblast-appliance.
[Expert@FIREWALL:0]# tecli s s
Last day Last week Last 30 days
General Information:
--------------------
Scanned files: 6215 62727 267261
Malicious files: 0 0 5
Files filtered by static analysis: 179(2%) 1830(2%) 7647(2%)
Files error count: 5 523 1994
Files filtered by local cache: 241(3%) 1511(2%) 7844(2%)
Files no resource count: 0 0 0
Malicious files detected by HPS: 0 0 0
Files error count in HPS: 0 0 0
Average sample process time: 23 sec. 36 sec. 36 sec.
Average sample size: 201574 bytes 181638 bytes 179110 bytes
Files destined for Local Emulation:
-----------------------------------
Scanned files locally: 0 0 0
Malicious files locally: 0 0 0
Average process time for emulated files: 22 sec. 27 sec. 31 sec.
Average virtual machine usage: 0 0 0
Average queue size: 0 0 0
Peak queue size: 0 0 0
Files destined for Cloud Emulation:
-----------------------------------
Scanned files on cloud: 0 0 0
Resend files on cloud: 0 0 0
Malicious files on Cloud: 0 0 0
Files filtered by cloud cache: 0 0 0
Emulated files on cloud: 0 0 0
Average cloud emulation time: 0 sec. 0 sec. 0 sec.
Average process time for uploaded files: 0 sec. 0 sec. 0 sec.
Average cloud process time: 0 sec. 0 sec. 0 sec.
Files destined for Remote Emulation:
------------------------------------
Scanned files remotely: 6215 62727 267261
Resend files remotely: 0 147 542
Malicious files remotely: 0 0 5
Files filtered by remote cache: 0 0 0
Average remote process time: 22 sec. 26 sec. 36 sec.
[Expert@SANDBLAST:0]# tecli s s
Last day Last week Last 30 days
General Information:
--------------------
Scanned files: 172 1843 8126
Malicious files: 0 0 4
Files filtered by static analysis: 0 63(3%) 253(3%)
Files error count: 0 3 13
Files filtered by local cache: 0 4(0%) 9(0%)
Files no resource count: 0 0 0
Malicious files detected by HPS: 0 0 0
Files error count in HPS: 0 3 13
Average sample process time: 71 sec. 97 sec. 109 sec.
Average sample size: 352711 bytes 543837 bytes 501098 bytes
Files destined for Local Emulation:
-----------------------------------
Scanned files locally: 172 1843 8126
Malicious files locally: 0 0 4
Average process time for emulated files: 71 sec. 100 sec. 111 sec.
Average virtual machine usage: 0 0 0
Average queue size: 0 0 0
Peak queue size: 21 67 46
Files destined for Cloud Emulation:
-----------------------------------
Scanned files on cloud: 0 0 0
Resend files on cloud: 0 0 0
Malicious files on Cloud: 0 0 0
Files filtered by cloud cache: 0 0 0
Emulated files on cloud: 0 0 0
Average cloud emulation time: 0 sec. 0 sec. 0 sec.
Average process time for uploaded files: 0 sec. 0 sec. 0 sec.
Average cloud process time: 0 sec. 0 sec. 0 sec.
Files destined for Remote Emulation:
------------------------------------
Scanned files remotely: 0 0 0
Resend files remotely: 0 0 0
Malicious files remotely: 0 0 0
Files filtered by remote cache: 0 0 0
Average remote process time: 0 sec. 0 sec. 0 sec.
We recently changed our 'max file size for emulation limit' from 15 MBto 50 MB (see encl), so I need to keep a Close eye on the Queues for now. Do I need to do any changes in DBedit as well to enable this new 50 MB limit?
