Technical Tip: Understanding Application Control log Trigger

Sample Log entry: (truncated to highlight important fields)

time=2016-02-02 10:43:43 .... app=HTTP utmaction=block ...dstip=12.32.15.16 duration=5 ... logid=13 ....dstport=80 type=traffic ... catdesc=Information Technology...appcat=Not.Scanned ... action=close ...hostname=dnl-09.geo.kaspersky.com

If the application control profile is not enabled on the firewall policy in the forward traffic the log will show as: 

appcat="unscanned"

• According to the log, this  should be created by 'service' and not the application control.
  If the log is created by application control feature, it will have the item 'applist' in the forward traffic log.
  Since the log is not created by an application control feature, the application category will show  appcat="unscanned."

See the following log entry with Applist. This is an indication of the App control profile Test-APP being triggered .

date=2024-10-28 time=00:50:30 id=7430483405680148485 itime="2024-10-27 15:50:34" euid=1026 epid=104 dsteuid=3 dstepid=2573  appid=15895 appact="detected" apprisk="elevated" policytype="policy" eventtime=1730044230856110988 countapp=1 countssl=1 poluuid="2404e3fe-3008-51ed-53f6-8624143d11c8" srccountry="Reserved" dstcountry="Reserved" srcintf="ssl.root" dstintf="port8" applist="Test-APP" 

•  In conclusion, the unscanned category is expected and not an entry of the application control feature. It is an entry related to Service.

Service is nothing but the services (smtp,https, http etc) which are being used in the firewall policies.

Related article:

Technical Tip: Display application control signature logs from CLI