topic Re: Doubt with AMP dynamic analysis in Endpoint Security

Doubt with AMP dynamic analysis

Ariel0092 — Fri, 21 Feb 2020 05:07:02 GMT

HI everyone i have a doubt with the action of dynamic analysis on the FMC, i have read and hear some folks who says that the files(for example a .exe) are never send to the cloud, only a hash sha256, and from my undertstanding this is what the spero engine does, but with the dynamic analysis the documentation stays that the file with a disposition of unknown is submitted to threat grid a.k.a. sandboxing for analysis, so my question/doubt is if a user downloads a file .exe with unknown disposition does the firepower send the entire file for sandboxing or sends a sha256?

Hope you can understand my question and clarify me this concepts .

Thanks and Best regards!

Re: Doubt with AMP dynamic analysis

yogdhanu — Mon, 26 Nov 2018 11:51:55 GMT

Dynamic analysis or sandboxing for unknown file does require full file to be submitted which is done on FMC.

But for known files only SHA query is done and Threatgrid would reply back with threat score and AMP cloud would let know the disposition like malicious, clean or unknown.

Hope it helps,

Yogesh

Re: Doubt with AMP dynamic analysis

Ariel0092 — Mon, 26 Nov 2018 14:52:18 GMT

Thank you so much yogdhanu for clarify my doubt!!

Best regards!!