cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
100
Views
0
Helpful
2
Replies
Participant

AMP analyser

Hi.

Can I hold message in quarantine before recive retrospective verdict?

 

14 Aug 2019 15:54:25 (GMT +03:00)14 Aug 2019 18:03:54 (GMT +03:00)

 

14 Aug 2019 15:43:30 (GMT +03:00) Response received for file reputation query from Cloud. File Name = sample (40).bin.gz, MID = 41090, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070, upload_action = Recommended to send the file for analysis
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 scanned by Advanced Malware Protection engine. Final verdict: UNKNOWN(File analysis pending)
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 contains attachment 'sample (40).bin.gz' (SHA256 fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070).
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'sample (40).bin.gz' archive contents unpacked for processing.
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'sample (40).bin.gz' scanned by Advanced Malware Protection engine. File Disposition: Unknown
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'data' scanned by Advanced Malware Protection engine. File Disposition: Unknown
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 scanned by Outbreak Filters. Verdict: Negative
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 queued for delivery.
14 Aug 2019 15:54:25 (GMT +03:00) File analysis complete. MID = 41090, SHA256 = [b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c], File Name = data, Submit Timestamp = 1565786611, Update Timestamp = 1565787264, Disposition = 3, Score = 95, Analysis Id = 1b022a95de0f7fcbec33e72284813eea, Details = W32.B8E0C51984-95.SBX.TG
14 Aug 2019 18:03:54 (GMT +03:00) Retrospective verdict received. MID = 41090, SHA256 = b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c, Timestamp = 1565795034.54, Verdict = MALICIOUS, Spyname = W32.RetroDetected

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
2 REPLIES 2
Highlighted
Collaborator

Re: AMP analyser

The check the settings on your incoming mail policy/File Analysis, and make sure you're quarantining messages that have pending file analysis, and then set the quarantine to hold for whatever you deem necessary.




Cisco Employee

Re: AMP analyser

Hi Oleg Volkov,

For your requirement, you can do so by following the below steps:

Login to GUI and Goto Mail Policies-->Incoming Mail Policy-->Advance Malware protection (click on the link below this column).

Goto "Messages with File Analysis Pending:" and for "Action Applied to Message:" change the option from "Deliver As in" to "Quarantine".

Then submit and commit the changes.

Note: This might result in the delay in email delivery.

I hope it helps!

BR,
Pratham