Showing results for 
Search instead for 
Did you mean: 

AMP : file not uploaded for analysis


Hello all, 

I've got a strange behavior, I don't know if t is normal.

Multiple times a day (like a hundred) we observe logs in AMP stating first that the recommended action for the file is to send the file for analysis, and then that the fils was not sent because it is already known in the file analysis server.

So was the file checked or not ?


Typically the logs look like this :

Sun Jul 5 06:59:13 2020 Info:   File reputation query initiating. File Name = 'filename.pdf', MID = 6876581, File Size = 637737 bytes, File Type = application/pdf

Sun Jul 5 06:59:13 2020 Info: File analysis upload skipped. SHA256: 123456, file name: Timestamp[1593031467] details[Success]

Sun Jul 5 06:59:13 2020 Info:   Response received for file reputation query from Cloud. File Name = 'filename.pdf', MID = 6876581, Disposition = VERDICT UNKNOWN, Malware = None, Analysis Score = 56, sha256 = 123456, upload_action = Recommended to send the file for analysis

Sun Jul 5 06:59:13 2020 Info:   File not uploaded for analysis. MID = 6876581, File SHA256[123456], File mime[application/pdf], Reason: The file verdict status is already available with the File Analysis server

1 Reply 1

Cisco Employee
Cisco Employee
Hello Marie,

This is expected behavior when the File Analysis module detected the same hash in the local File Analysis server, therefore the file did not submit for analysis again and the cached verdict has been used.

I hope that answers your query.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: