Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2133
Views
0
Helpful
1
Replies

AMP : file not uploaded for analysis

Kalipso
Level 1
Level 1

‎07-06-2020 03:00 AM

Hello all, 

I've got a strange behavior, I don't know if t is normal.

Multiple times a day (like a hundred) we observe logs in AMP stating first that the recommended action for the file is to send the file for analysis, and then that the fils was not sent because it is already known in the file analysis server.

So was the file checked or not ?

 

Typically the logs look like this :

Sun Jul 5 06:59:13 2020 Info:   File reputation query initiating. File Name = 'filename.pdf', MID = 6876581, File Size = 637737 bytes, File Type = application/pdf

Sun Jul 5 06:59:13 2020 Info: File analysis upload skipped. SHA256: 123456, file name: Timestamp[1593031467] details[Success]

Sun Jul 5 06:59:13 2020 Info:   Response received for file reputation query from Cloud. File Name = 'filename.pdf', MID = 6876581, Disposition = VERDICT UNKNOWN, Malware = None, Analysis Score = 56, sha256 = 123456, upload_action = Recommended to send the file for analysis

Sun Jul 5 06:59:13 2020 Info:   File not uploaded for analysis. MID = 6876581, File SHA256[123456], File mime[application/pdf], Reason: The file verdict status is already available with the File Analysis server

Labels:
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎07-09-2020 10:33 AM

Hello Marie,

This is expected behavior when the File Analysis module detected the same hash in the local File Analysis server, therefore the file did not submit for analysis again and the cached verdict has been used.

I hope that answers your query.

Cheers,
Pratham
0 Helpful
Customers Also Viewed These Support Documents