https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4523689#M1086038 <P>Thank you for your reply. I was thinking the same, but could not confirm as no Cisco document clearly says this.</P><P>Appreciate it.</P> Sat, 25 Dec 2021 05:22:31 GMT muthumohan 2021-12-25T05:22:31Z https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4514679#M1085590 <P>In FTD, while the file is being analyzed in the sandbox by ThreatGrid, when happens to file in transit?</P><P>Please let me know if this is correct:</P><P>If the file policy rule action is "Malware Cloud Lookup", I believe the file is sent to the end user and a malware event will be generated once the threat-score comes from TG and the file is determined to be a malware.</P><P>&nbsp;</P><P>My real question is, if the file policy rule action is "Malware Block", what does the end user see, while the file is being analyzed by Threatgrid? Does he get 99% of the file and wait for the last 1% till TG sends back the threat-score?</P><P>I believe TG can take more than 15 minutes to complete the analysis. Does this mean the client will have to hold the TCP connection, say FTP, open till the threat-score comes back from TG? What is the deal here?</P><P>Thanks and appreciate any help. No where in Cisco documentation explain this part.</P><P>Thanks</P> Tue, 07 Dec 2021 17:16:44 GMT https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4514679#M1085590 muthumohan 2021-12-07T17:16:44Z https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4516138#M1085671 <P>Block Malware will only occur if the file disposition of the SHA256 (From local cache or AMP) is malicious. If the file is unknown then it will be send to ThreatGrid for analysis. While the analysis is taking place, the file is allowed through the firewall and is not held "hostage" If analysis determines that the unknown file is malicious, then a retrospective event will be triggered for this file.&nbsp;</P> <P>I hope this helps!</P> <P><EM>Thank you for rating helpful posts!</EM></P> Thu, 09 Dec 2021 16:58:10 GMT https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4516138#M1085671 nspasov 2021-12-09T16:58:10Z https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4523689#M1086038 <P>Thank you for your reply. I was thinking the same, but could not confirm as no Cisco document clearly says this.</P><P>Appreciate it.</P> Sat, 25 Dec 2021 05:22:31 GMT https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4523689#M1086038 muthumohan 2021-12-25T05:22:31Z https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4526542#M1086173 <P>My pleasure! I have submitted an enhancement with the documentation team to update our documentation. Now, if you your question has been answered, please mark the thread as resolved <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Tue, 04 Jan 2022 19:44:22 GMT https://community.cisco.com/t5/network-security/what-happens-to-the-file-while-dynamic-analyis-is-being/m-p/4526542#M1086173 nspasov 2022-01-04T19:44:22Z