topic thanks, was confused as I in Endpoint Security

File policy rule question

evan.chadwick1 — Fri, 21 Feb 2020 05:01:24 GMT

when you choose to 'block malware', what does the product do for files that can't

1/ be acted on for local analysis

2/ be sent to the cloud for dynamic/spero anlysis

Ie every other file other than 9 highlighed in the above categories

Hello Evan,

Jetsy Mathew — Tue, 19 Jul 2016 05:35:10 GMT

Hello Evan,

Please refer the following two links for the best understanding of file dispositions.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.html

Feel free to let me know if you have any questions.

Rate if post helps you

Regards

Jetsy

Hi, thanks for posting the

evan.chadwick1 — Mon, 25 Jul 2016 00:10:22 GMT

Hi, thanks for posting the links, its a good reminder to have a re read.
Perhaps if you could define what Cisco refers to as 'dynamic' it would be helpful.

When creating a File Rule Cisco prepopulates a 'dynamic' list of 4 files.

These contain MSEXE, MSOLE2, NEW_OFFICE and PDF. So if these are the only files that can be dynamic it leads me to think I don't understand what Cisco means as dynamic.

When I read this:

Note that you must configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.

Is the calculation of a SHA value not dynamic?

Hello Evan,

Jetsy Mathew — Tue, 26 Jul 2016 14:13:29 GMT

Hello Evan,

If you configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.It will query to check the sha value.

Rate if the post helps you

Regards

Jetsy

Hello Evan,

kwalcott — Tue, 26 Jul 2016 23:35:44 GMT

Hello Evan,

I think you are referring to the list of files populated when you select "Dynamic Analysis Capable" as the file type in a File policy rule.

These files types: MSEXE, MSOLE2, NEW_OFFICE and PDF are the file types that can be successfully submitted to the cloud for Dynamic Analysis.

These file types can be submitted to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance for dynamic analysis.

The Threat Grid cloud runs the sample through a sandbox environment and evaluates behavioral indicators to determine the Threat Score of a sample. A high enough Threat Score will result in the sample's SHA-256 hash returning a Malicious disposition.

The Threat Score and Analysis Report of the sandbox run is available after successful submission and analysis.

Let me know if i have understood the question and if this is the answer that you were looking for.

thanks, was confused as I

evan.chadwick1 — Wed, 27 Jul 2016 02:20:17 GMT

thanks, was confused as I feel that sending SHA's, which is separate to threat grid, is also a dynamic action.

from what I understand about file being sent, there should not be double ups being sent. Is it normal when a file is labelled as unknown for it to be constantly resent 100's of times?

For example a semantic secars.dll file.

Hello Evan,

Abha Jha — Thu, 06 Apr 2017 14:15:52 GMT

Hello Evan,

Static and dynamic malware analysis:
A highly secure sandboxing environment helps you run, analyze, and test malware in order to discover previously unknown zero-day threats. Integration of Threat Grid’s sandboxing and static and dynamic malware analysis technology into AMP solutions results in a more comprehensive analysis checked against a larger set of behavioral indicator.