Hi Michael,

The short answer is - yes, AMP blocks only high confidence malicious files.

The longer answer:

with AMP for Endpoints file blocking mode (other is Audit mode where AMP detects but doesn't block, mostly used during PoVs), files that are marked 'malicious' (file disposition) in the AMP Cloud are going to be blocked. Numerous sophisticated technologies (so-called "engines" that leverage machine learning to identify malware, generic fingerprinting, Advanced File Analysis [Threat Grid], etc), as well as the human factor/Talos, contribute to this Collective intelligence. The product also has an offline AV engine, that can be enabled through a policy to block high confidence known malicious files based on signature matches.

Recent third-party test results that confirm that: https://blogs.cisco.com/security/nss-labs-awards-recommended-rating-to-cisco-endpoint-security

Please keep in mind, that while AMP for Endpoints offers robust file blocking capabilities, it does way more than just that (Exploit Prevention, System Process Protection, Malicious Activity Protection, Generic [Cloud] IOCs, integration with Cognitive Threat Analytics, etc). I'd suggest to review the "AMP for Endpoints - Protection Lattice" section in this paper: AMP for Endpoints - Exploit Prevention