Hello all,
I've got a strange behavior, I don't know if t is normal.
Multiple times a day (like a hundred) we observe logs in AMP stating first that the recommended action for the file is to send the file for analysis, and then that the fils was not sent because it is already known in the file analysis server.
So was the file checked or not ?
Typically the logs look like this :
Sun Jul 5 06:59:13 2020 Info: File reputation query initiating. File Name = 'filename.pdf', MID = 6876581, File Size = 637737 bytes, File Type = application/pdf
Sun Jul 5 06:59:13 2020 Info: File analysis upload skipped. SHA256: 123456, file name: Timestamp[1593031467] details[Success]
Sun Jul 5 06:59:13 2020 Info: Response received for file reputation query from Cloud. File Name = 'filename.pdf', MID = 6876581, Disposition = VERDICT UNKNOWN, Malware = None, Analysis Score = 56, sha256 = 123456, upload_action = Recommended to send the file for analysis
Sun Jul 5 06:59:13 2020 Info: File not uploaded for analysis. MID = 6876581, File SHA256[123456], File mime[application/pdf], Reason: The file verdict status is already available with the File Analysis server