https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737186#M7210 <P>Thank you so much&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547768">@Troja007</a>&nbsp;</P> Mon, 12 Dec 2022 15:38:21 GMT tobbyf 2022-12-12T15:38:21Z https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737056#M7205 <P>Hi everyone,</P><P>Cisco AMP found different malicious files, I saw 2 different dispositions on Cisco AMP:</P><P>Disposition: Malicious</P><P>Disposition: Blocklisted</P><P>Both files quarantined but can someone explain what is the difference between blocklisted and malicious disposition ?</P><P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 12 Dec 2022 12:51:48 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737056#M7205 tobbyf 2022-12-12T12:51:48Z https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737068#M7206 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1443025">@tobbyf</a>&nbsp;,<BR />I assume someone added the SHA256 to an Application Blocklist?</P> <UL> <LI>Disposition Malicous: comes from a Cisco Source. You can review the Device Trajectory for Details which engine finally detected or if it was a cloud detection.</LI> <LI>Blocklisted: Indicates that the File has been added to a blocklist.</LI> </UL> <P>Greetings, Thorsten</P> Mon, 12 Dec 2022 13:15:44 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737068#M7206 Troja007 2022-12-12T13:15:44Z https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737073#M7207 <P>Yes, thank you very much. Also I have one more question.</P><P><EM>"For malware detected in network traffic, dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean."</EM></P><P>I can only see current disposition of the file on SIEM. If a file's disposition is clean now, should I consider it has no risk or it is still risky because maybe it has been "malware" in the past?</P> Mon, 12 Dec 2022 13:27:10 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737073#M7207 tobbyf 2022-12-12T13:27:10Z https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737110#M7208 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1443025">@tobbyf</a>&nbsp;,<BR />when reviewing detection information using the SecureX Pivot Menu, the Ribbon or Threat Response, you always see the dates when a disposition was set and, if applicable, how long this disposition will be active.<BR />Your question cannot be answered in a single statement. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <UL> <LI>If a file is malicious, it will always be malicious.</LI> <LI>If there is an IP shown malicious, this IP might not be malicious in the future.</LI> <LI>The Cisco Security Architecture is generating relations between artifacts, observables and behaviour. This is something we outline we this decision has been made.&nbsp;</LI> <LI>So finally different Cisco Intelligences might have different information about an observable.</LI> </UL> <P>Greetings, Thorsten</P> Mon, 12 Dec 2022 14:07:04 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737110#M7208 Troja007 2022-12-12T14:07:04Z https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737186#M7210 <P>Thank you so much&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/547768">@Troja007</a>&nbsp;</P> Mon, 12 Dec 2022 15:38:21 GMT https://community.cisco.com/t5/endpoint-security/cisco-amp-disposition/m-p/4737186#M7210 tobbyf 2022-12-12T15:38:21Z