The riskware policy settings page allows you to configure the riskware protection feature on the appliance. Riskware protection identifies files that are similar to malware but not intended to be malicious such as potentially unwanted programs or ‘PUPs’, potentially unwanted applications or ‘PUAs’ or adware. These files can affect threat detection because they have similar behaviors to malware. For example they may install an unwanted program or modify system settings. As you can see riskware is enabled on this appliance. This is the default setting. Riskware policy rules are written by FireEye. These rules identify objects by suspicious file types and mark them as riskware.
The appliance receives a list of updated riskware policy rules when the system checks for new security content from the DTI cloud. Analysis is performed against all matched rules. The alert only check box for policy rules is unchecked by default. If you were to check or enable ‘alert-only’ for a particular rule then the appliance will only generate an alert when the traffic matches the rule. It will be marked as custom riskware on a non malicious submission and that means that no further analysis is performed. You can view the analysis results on the riskware page and the web UI going into alerts > Riskware.