https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763930#M1037722 <P>SHA value goes to SPERO, ETHOS engine</P><P>&nbsp;</P><P>&nbsp;</P><P>Spero Analysis for MSEXE</P><P>Dynamic Analysis: This option sends files that match the rule to the "sandbox" for further analysis. This produces a file&nbsp; threat score and a file report (usually within 20 minutes).</P><P>&nbsp;Reset Connection</P><P>Store Files (By Disposition) Malware, Unknown, Clean, or Custom</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN class="Emph">Malware Cloud Lookup:</SPAN> Allows you to log the malware disposition of files that are traversing your network based on a cloud lookup, while still allowing their transmission</P><P><SPAN class="Emph">Block Malware:</SPAN> Allows you to calculate the <SPAN class="tooltip-position"><SPAN class="tooltip">SHA-256</SPAN></SPAN> hash value of specific file types, then use a cloud lookup process to first determine if files that are traversing your network contain malware, and then block files that represent threats</P> Fri, 14 Dec 2018 18:12:19 GMT Sheraz.Salim 2018-12-14T18:12:19Z https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763864#M1037701 <P>Hi All,</P><P>&nbsp;</P><P>Can anyone please confirm if Dynamic Analysis with either Block Malware or Malware Cloud Lookup sends the full file to the AMP cloud or only the SHA value? If it sends the full file, does the AMP cloud delete the file after analysis? Are there generally any concerns with sending full file to AMP for analysis? I have a customer that has queried this and is concerned about sensitive files from being sent&nbsp;out of the network</P><P>&nbsp;</P><P>Thank you</P> Tue, 12 Mar 2019 14:10:35 GMT https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763864#M1037701 dm2020 2019-03-12T14:10:35Z https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763930#M1037722 <P>SHA value goes to SPERO, ETHOS engine</P><P>&nbsp;</P><P>&nbsp;</P><P>Spero Analysis for MSEXE</P><P>Dynamic Analysis: This option sends files that match the rule to the "sandbox" for further analysis. This produces a file&nbsp; threat score and a file report (usually within 20 minutes).</P><P>&nbsp;Reset Connection</P><P>Store Files (By Disposition) Malware, Unknown, Clean, or Custom</P><P>&nbsp;</P><P>&nbsp;</P><P><SPAN class="Emph">Malware Cloud Lookup:</SPAN> Allows you to log the malware disposition of files that are traversing your network based on a cloud lookup, while still allowing their transmission</P><P><SPAN class="Emph">Block Malware:</SPAN> Allows you to calculate the <SPAN class="tooltip-position"><SPAN class="tooltip">SHA-256</SPAN></SPAN> hash value of specific file types, then use a cloud lookup process to first determine if files that are traversing your network contain malware, and then block files that represent threats</P> Fri, 14 Dec 2018 18:12:19 GMT https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763930#M1037722 Sheraz.Salim 2018-12-14T18:12:19Z https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763978#M1037741 <P>Hi&nbsp;</P><P>&nbsp;</P><P>Thanks for the response. What happens if the file/SHA value is unknown, is the complete file then sent to the sand box for further analysis?</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 14 Dec 2018 18:19:58 GMT https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3763978#M1037741 dm2020 2018-12-14T18:19:58Z https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3764001#M1037753 <P>see the attachment.</P><P>&nbsp;</P><P>after reading the document it seem it send whole file for sand boxing.</P> Fri, 14 Dec 2018 18:36:49 GMT https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3764001#M1037753 Sheraz.Salim 2018-12-14T18:36:49Z https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3764546#M1037767 <P>For customers with a high degree of sensitivity you can run AMP Private Cloud and ThreatGrid all on-premises. In that scenario no customer file ever leaves the environment.</P> Sun, 16 Dec 2018 13:28:16 GMT https://community.cisco.com/t5/network-security/firepower-file-dynamic-analysis/m-p/3764546#M1037767 Marvin Rhoads 2018-12-16T13:28:16Z