What conditions will generate an alert for whitelisting on Content Analysis?
Whitelisting is a cloud-based service used by Content Analysis to improve the efficiency of threat analysis. If a user on your network requests a file, Content Analysis sends a hash of that file (containing the filename and the URL from which it was requested) to the Whitelisting service for comparison. If the file is in the Whitelist database, the service returns a trust score for that file. CAS doesn't have a whitelist database on the appliance, it reaches out to Blue Coat cloud sending the hash of the file to get the whitelist rating.
If the file has a whitelist trust score of 0 during uploading or downloading, Content Analysis blocks/drops the file and at the same time it will trigger the alert system. If the trust score is more than 0, but less than the threshold, it will be scanned by AV.