cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
0
Helpful
2
Replies

AMP analyser

Oleg Volkov
Spotlight
Spotlight

Hi.

Can I hold message in quarantine before recive retrospective verdict?

 

14 Aug 2019 15:54:25 (GMT +03:00)14 Aug 2019 18:03:54 (GMT +03:00)

 

14 Aug 2019 15:43:30 (GMT +03:00) Response received for file reputation query from Cloud. File Name = sample (40).bin.gz, MID = 41090, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070, upload_action = Recommended to send the file for analysis
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 scanned by Advanced Malware Protection engine. Final verdict: UNKNOWN(File analysis pending)
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 contains attachment 'sample (40).bin.gz' (SHA256 fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070).
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'sample (40).bin.gz' archive contents unpacked for processing.
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'sample (40).bin.gz' scanned by Advanced Malware Protection engine. File Disposition: Unknown
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 attachment 'data' scanned by Advanced Malware Protection engine. File Disposition: Unknown
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 scanned by Outbreak Filters. Verdict: Negative
14 Aug 2019 15:43:32 (GMT +03:00) Message 41090 queued for delivery.
14 Aug 2019 15:54:25 (GMT +03:00) File analysis complete. MID = 41090, SHA256 = [b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c], File Name = data, Submit Timestamp = 1565786611, Update Timestamp = 1565787264, Disposition = 3, Score = 95, Analysis Id = 1b022a95de0f7fcbec33e72284813eea, Details = W32.B8E0C51984-95.SBX.TG
14 Aug 2019 18:03:54 (GMT +03:00) Retrospective verdict received. MID = 41090, SHA256 = b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c, Timestamp = 1565795034.54, Verdict = MALICIOUS, Spyname = W32.RetroDetected

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
2 Replies 2

The check the settings on your incoming mail policy/File Analysis, and make sure you're quarantining messages that have pending file analysis, and then set the quarantine to hold for whatever you deem necessary.




ppreenja
Cisco Employee
Cisco Employee
Hi Oleg Volkov,

For your requirement, you can do so by following the below steps:

Login to GUI and Goto Mail Policies-->Incoming Mail Policy-->Advance Malware protection (click on the link below this column).

Goto "Messages with File Analysis Pending:" and for "Action Applied to Message:" change the option from "Deliver As in" to "Quarantine".

Then submit and commit the changes.

Note: This might result in the delay in email delivery.

I hope it helps!

BR,
Pratham