https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3232034#M4800 <P>Hi, thanks for the response, but i didnt get it, why disposition changes to unknown at 19:27 when it was already declared malware before?</P> Thu, 14 Dec 2017 04:25:16 GMT syed.mohsin 2017-12-14T04:25:16Z https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3227780#M4739 <P>&nbsp;</P> <P>Hi, We have deployed ASA since last few months, everything is working fine, but we have observe that sometimes if a file is declared Malware disposition from Cisco Cloud, it randomly changes to 'unknown' and that malicious file passed on to internal network with action Malware cloud lookup. Due to this abnormal behavior we are receiving multiple malicious file passing from ASA. Snapshot is attached.</P> <P>FMC Version:6.2.1 (build 342)</P> <P>ASA Version 9.5</P> <P>Why Malware disposition changes randomly to Unknown? Is this normal behavior?</P> <P>Thanks.</P> Sat, 09 Mar 2019 01:45:29 GMT https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3227780#M4739 syed.mohsin 2019-03-09T01:45:29Z https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231438#M4771 <P>Hi Syed,</P> <P>&nbsp;</P> <P>to answer your question, we will need the SHA-256 of that file</P> <P>&nbsp;</P> <P>David</P> Wed, 13 Dec 2017 10:07:22 GMT https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231438#M4771 David Janulik 2017-12-13T10:07:22Z https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231446#M4781 <P>Hi</P> <P>Check this hash:</P> <P>SHA 256: a1b9d6fa618ce38eb3554d76868f7259a61be8cd11d4a8a5c9e91eb29ba23a67</P> <P>&nbsp;</P> <P>Attached is the snapshot:</P> <P>&nbsp;</P> Wed, 13 Dec 2017 10:27:41 GMT https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231446#M4781 syed.mohsin 2017-12-13T10:27:41Z https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231560#M4791 <P>This file has been submitted to Threatgrid 12/13/2017 2:12:31 pm. The disposition is done by Synthetic Event Engine that convicts binaries based upon actions of several Indicator of Compromise in a SANDBOX. For further reference over this sample with disposition malicious, see</P> <P><A href="https://www.talosintelligence.com/amp-naming/" target="_blank">https://www.talosintelligence.com/amp-naming/</A></P> <P>SBX.VIOC- detection engine - Syntetic events</P> <P>&nbsp;</P> <P>or</P> <P>&nbsp;</P> <P>if you have access to the threatgrid account hereby the link, which contains the video+report of the IOC actions.</P> <P><A href="https://panacea.threatgrid.com/mask/#/submission/e5f4ab6d542cb7a2ae9d24349f6296f9" target="_blank">https://panacea.threatgrid.com/mask/#/submission/e5f4ab6d542cb7a2ae9d24349f6296f9</A></P> <P>Let me know if you need further info to this</P> Wed, 13 Dec 2017 13:19:07 GMT https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3231560#M4791 David Janulik 2017-12-13T13:19:07Z https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3232034#M4800 <P>Hi, thanks for the response, but i didnt get it, why disposition changes to unknown at 19:27 when it was already declared malware before?</P> Thu, 14 Dec 2017 04:25:16 GMT https://community.cisco.com/t5/endpoint-security/malware-disposition-changes-to-unknown-randomly/m-p/3232034#M4800 syed.mohsin 2017-12-14T04:25:16Z