Solved: Re: Doubt with AMP dynamic analysis

Ariel0092 · ‎11-23-2018

HI everyone i have a doubt with the action of dynamic analysis on the FMC, i have read and hear some folks who says that the files(for example a .exe) are never send to the cloud, only a hash sha256, and from my undertstanding this is what the spero engine does, but with the dynamic analysis the documentation stays that the file with a disposition of unknown is submitted to threat grid a.k.a. sandboxing for analysis, so my question/doubt is if a user downloads a file .exe with unknown disposition does the firepower send the entire file for sandboxing or sends a sha256?

Hope you can understand my question and clarify me this concepts .

Thanks and Best regards!

yogdhanu · ‎11-26-2018

Hi

Dynamic analysis or sandboxing for unknown file does require full file to be submitted which is done on FMC.

But for known files only SHA query is done and Threatgrid would reply back with threat score and AMP cloud would let know the disposition like malicious, clean or unknown.

Hope it helps,

Yogesh

View solution in original post

yogdhanu · ‎11-26-2018

Hi

Dynamic analysis or sandboxing for unknown file does require full file to be submitted which is done on FMC.

But for known files only SHA query is done and Threatgrid would reply back with threat score and AMP cloud would let know the disposition like malicious, clean or unknown.

Hope it helps,

Yogesh

Ariel0092 · ‎11-26-2018

Thank you so much yogdhanu for clarify my doubt!!

Best regards!!