AMP analys *.bin file

Oleg Volkov · ‎07-31-2019

Hello.

How I can force AMP on ESA to upload *.bin file for analys?

Thanks

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Robert Sherwin · ‎07-31-2019

.bin file types are not in our supported file type listing.

See the following for ALL file types currently allowed via Cisco Email Security:

File Criteria for Advanced Malware Protection and Threat Grid Services for Cisco Content Security Products

You can try to manually submit the .bin via Threat Grid if you have paid access w/ license.

Even there, I do not see a call out for .bin, currently:

Sample File Types Supported

NOTE: The list of sample file types that are supported by Threat Grid is updated frequently. If a specific file type is critically important to your organization, please verify its current status with Threat Grid Support .

.BAT - Batch -- Note that the file MUST have the .bat extension.

.BZ2 - bzip2 -- See: .ZIP

.CHM - Compiled HTML Help -- Microsoft Compiled HTML Help.

.DLL - See: PE32 and PE32+

.DOC, .DOCX - MSWord -- See: Office Documents

.EML - Email messages saved as files. -- Note that the file MUST have the .eml extension.

.EXE - See: PE32

.GZ - gzip -- See: .ZIP

.HTA - HTML Application -- Note that the file MUST have the .hta extension.

.HWP, .HWT, .HWPX - Available on the win7-x64-kr VM ONLY (specific to Hancom Office). Note: Available On Threat Grid Appliances with add-on license.

.ISO - ISO image files -- Note that the file MUST have the .iso extension.

.JAR - Java Archives

JAR is a very imprecise filetype. The original Threat Grid file acceptance system would take anything that met the bare requirements for a JAR file, but our new one, PREP2 (introduced in the 3.4.34 release) does not. For more information see the 3.4.34 entry in the Release Notes .

Instead, the new preparation process now checks further to see if the item actually meets the requirements of a child format for JAR (such as the Android APK files), which are JAR files, but will not run in the Threat Grid environment. Unfortunately, this means that what may look like a JAR file may actually be intended for the user's phone, not for Windows.

Therefore, we no longer accept APK files. Although they might look like JAR files, they just won't run in Threat Grid.

.JS - JavaScript -- Note that the file MUST have the .js extension.

.JSE - Encoded JavaScript -- Note that the file MUST have the .jse extension.

.JTD, .JTT, .JTDC, .JTTC -- Available on the win7-x64-jp VM ONLY (specific to Ichitaro). Note: Not Available On Threat Grid Appliances

.LNK - Windows shortcut files

.MSG -- See: Office Documents

.MSI - Microsoft Installer files

.MHTML - Mime HTML Files

Office Documents

Microsoft Office Documents, including .DOC, .DOCX, .MSG, .RTF, .XLS, .XLSX, .PPT, .PPTX (static forensics)

Password-protected Microsoft Office documents can be opened if the sample password is provided during submission.

.PDF - Portable Document Format (detailed static forensics, including Javascript resources)

Please note changes to PDF handling in the 3.4.34 entry in the Release Notes .

.PE32 Files - (detailed static forensics)

Executables (.EXE)
Libraries (.DLL)

.PE32+ fIles -- Supported on all current VMs

Executable (.EXE)
Libraries (.DLL)

.PS1 - Powershell -- Note that the file MUST have the .ps1 extension.

.SEP - Symantec Quarantine File.

.SLK - Microsoft Symbolic Link (SYLK) -- Note that the file MUST have the .slk extension.

.SWF - Flash Files

.TAR - tar -- See: .ZIP

URLs (As Internet Shortcut file, or submit the URL directly. Detailed static forensics or Javascript resources.)

.VBE - Encoded Visual Basic -- Note that the file MUST have the .vbe extension.

.VBN - Symantec Quarantine File.

.VBS - Visual Basic Script -- Note that the file MUST have the .vbs extension.

.WSF - Windows Script File -- Note that the file MUST have the .wsf extension.

.XML

XML Based Office Document Types (.DOCX, .XLSX, .PPTX)
XML - Extensible Markup Language (.XML)
- XML that is from Office will be opened in the corresponding program (Office 2003)
- All other XML will be opened in IE
XML Document/Spreadsheet
2003 XML Document

.XPS - XML Paper Specification -- Note that the file MUST have the .xps extension.

.XZ - xz -- See: .ZIP

.ZIP -- Archive and Quarantine Formats

ZIP (.ZIP) as a container, no password, 'password', or 'infected'. We support ZIP archive nesting down to five levels. (See ZIP archive size limitations below.) We support submission passwords for ZIP archives that are encrypted with Advanced Encryption Standard (AES).
Quarantine (.SEP, .VBN)
xz (.XZ), gzip (.GZ), bzip2 (.BZ2), tar (.TAR) -- Note that the file MUST have the appropriate extension.

Sample File Types Not Supported

Other file types will be rejected by the malware sandbox upon submission, and flagged with "Filetype not supported" in the Threat Grid portal interface and the API. Note this list is not exhaustive.

.7z (.7zip) is not supported.
.APK is not supported.
.DOS executables are not supported. MS-DOS/COM is the executable format that was used by MS-DOS. It is the format for 16-bit applications. Windows supported these into Windows7, but they only work on 32-bit systems. Threat Grid discontinued our last 32-bit system in July 2017, so these files will no longer run in our system. Our file acceptance process (Prep2) does not recognize these files. They may be submitted to our system if they carry the ".exe" extension, but THEY WILL NOT RUN. The file will be checked against third-party AV services, but we discourage using quota in this way. However, these files often carry the extension ".exe", so customers become confused when their sample is not accepted. Libmagic lists these files as MS-DOS executable, MZ for MS-DOS. In short, Threat Grid does not support 16-bit executable files (MS-DOS executables), nor are there plans to support them in the future.
.RAR is not supported.
.TXT is NOT supported.
Email Headers. Threat Grid does not analyze email headers. We do look at the body and essentially treat it as a network artifact, so there are some checks run on it. For example if a file is emailed.

Sample File Size Limitations

Maximum file size: 100MB.
Files should not be empty.
ZIP archives may contain a maximum of 255 files. Archives with more than 255 files will return no analysis, and will display an error stating that too many files were found.
The maximum file size for each file within a Zip archive is 100MB (unzipped).
ZIP archive size cannot be greater than 600MB when unzipped.

Sample Filename Rules

Maximum sample filename size: 240 characters. Sample filenames should not exceed 200 Unicode characters in length. Longer names will be changed to allow execution on the system.
If the filename AT ANY TIME is over the maximum of 240 characters, (including the full path and file extension), the old filename is completely wiped out and replaced with the SHA256.
If the original extension is known, we use that; otherwise we generate that as well. (Note that this is enforced for the filename itself; it does not include the rest of the path.)
If the file extension is greater than 10 characters AND the type is known, we append the extension.
If the filename contains any illegal characters, the name is replaced. For example: \ / : * ? " < > |
If the filename is replaced, we issue a warning.

You can always open a TAC case and request an ENH to be opened.

Cheers,
Robert Sherwin