Re: AMP file not uploaded No active/dynamic contents exists

Oleg Volkov · ‎07-09-2019

Hello.

My ESA will not want upload file for amp analysis.

I see in log:

File not uploaded for analysis. MID = 13478, File SHA256[57413d91eadac7020ddbd9c7434c86ccdf85bb8b5f6ef0a2a4b0e1e3850b167a], File mime[application/pdf], Reason: No active/dynamic contents exists

What I must do?

Thank You.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Ken Stieers · ‎07-09-2019

Newer versions of AMP are smarter about what gets uploaded so your upload limit doesn't get used up.

If the file has no code in it, it won't get uploaded.

If you're testing/verifying that AMP is working, and that files do get uploaded, create a Word doc or Excel doc with a macro in it, and then mail that through.

Oleg Volkov · ‎07-09-2019

Thank You, I will try, but I do not understand error message. What is dynamic content?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Ken Stieers · ‎07-09-2019

"Dynamic content" = executable code or macros

Oleg Volkov · ‎07-10-2019

I was create document with macro and send it by e-mail:

10 Jul 2019 11:19:47 (GMT +03:00)	File analysis complete. MID = 13898, SHA256 = [e999dff89c33a98dce5106ef261eeabdae9f7ba6cbb27d6b855fbb16eea4eca6], File Name = D1.docm, Submit Timestamp = 1562746245, Update Timestamp = 1562746786, Disposition = 1, Score = 72, Analysis Id = 1e80f53fcfc43038b4522c308cf5ae26, Details = None
10 Jul 2019 11:10:38 (GMT +03:00)	Incoming connection (ICID 6555) has sender_group: UNKNOWNLIST, sender_ip: 10.19.2.2 and sbrs: rfc1918
10 Jul 2019 11:10:38 (GMT +03:00)	Protocol SMTP interface Management (IP 10.20.0.3) on incoming connection (ICID 6555) from sender IP 10.19.2.2. Reverse DNS host None verified no.
10 Jul 2019 11:10:38 (GMT +03:00)	(ICID 6555) ACCEPT sender group UNKNOWNLIST match sbrs[none] SBRS rfc1918 sender IP 10.19.2.2 country not applicable
10 Jul 2019 11:10:39 (GMT +03:00)	Message 13898 Sender Domain: xxxxxxxxxx
10 Jul 2019 11:10:39 (GMT +03:00)	Start message 13898 on incoming connection (ICID 6555).
10 Jul 2019 11:10:39 (GMT +03:00)	Message 13898 enqueued on incoming connection (ICID 6555) from MAILER-DAEMON@smtp2.nch-spb.ru.
10 Jul 2019 11:10:39 (GMT +03:00)	Message 13898 direction: incoming
10 Jul 2019 11:10:39 (GMT +03:00)	Message 13898 on incoming connection (ICID 6555) added recipient (amp@virtualmail.local).
10 Jul 2019 11:10:40 (GMT +03:00)	Message 13898 contains message ID header '<5D259D77.1020509@xxxxxxxx>'.
10 Jul 2019 11:10:40 (GMT +03:00)	Message 13898 original subject on injection: WordMacro
10 Jul 2019 11:10:40 (GMT +03:00)	Message 13898 Domains for which SDR is requested: reverse DNS host: Not Present, helo: mgmt-smtp2.whsd.local, env-from: smtp2.nch-spb.ru, header_from: powerc.ru, reply_to: Not Present
10 Jul 2019 11:10:42 (GMT +03:00)	Message 13898 Consolidated Sender Reputation: Tainted, Threat Category: N/A, Suspected Domain(s): smtp2.nch-spb.ru. Youngest Domain Age: 7 years 3 months 14 days for domain: smtp2.nch-spb.ru
10 Jul 2019 11:10:42 (GMT +03:00)	Message 13898 (29008 bytes) from MAILER-DAEMON@xxxxxxxx ready.
10 Jul 2019 11:10:42 (GMT +03:00)	Message 13898 has sender_group: UNKNOWNLIST, sender_ip: 10.19.2.2 and sbrs: None
10 Jul 2019 11:10:42 (GMT +03:00)	Message 13898 matched per-recipient policy DEFAULT for inbound mail policies.
10 Jul 2019 11:10:41 (GMT +03:00)	File reputation query initiating. File Name = D1.docm, MID = 13898, File Size = 15737 bytes, File Type = application/vnd.openxmlformats-officedocument.wordprocessingml.document
10 Jul 2019 11:10:44 (GMT +03:00)	Response received for file reputation query from Cloud. File Name = D1.docm, MID = 13898, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = e999dff89c33a98dce5106ef261eeabdae9f7ba6cbb27d6b855fbb16eea4eca6, upload_action = Recommended to send the file for analysis
10 Jul 2019 11:10:45 (GMT +03:00)	Message 13898 scanned by Advanced Malware Protection engine. Final verdict: UNKNOWN(File analysis pending)
10 Jul 2019 11:10:45 (GMT +03:00)	Message 13898 contains attachment 'D1.docm' (SHA256 e999dff89c33a98dce5106ef261eeabdae9f7ba6cbb27d6b855fbb16eea4eca6).
10 Jul 2019 11:10:45 (GMT +03:00)	Message 13898 attachment 'D1.docm' scanned by Advanced Malware Protection engine. File Disposition: Unknown
10 Jul 2019 11:10:45 (GMT +03:00)	Message 13898 queued for delivery.

What can I understand, this file was uploaded and check or not?

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog

Ken Stieers · ‎07-10-2019

Yes, it was uploaded:

10 Jul 2019 11:10:44 (GMT +03:00) Response received for file reputation query from Cloud. File Name = D1.docm, MID = 13898, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = e999dff89c33a98dce5106ef261eeabdae9f7ba6cbb27d6b855fbb16eea4eca6, upload_action = Recommended to send the file for analysis

10 Jul 2019 11:19:47 (GMT +03:00) File analysis complete. MID = 13898, SHA256 = [e999dff89c33a98dce5106ef261eeabdae9f7ba6cbb27d6b855fbb16eea4eca6], File Name = D1.docm, Submit Timestamp = 1562746245, Update Timestamp = 1562746786, Disposition = 1, Score = 72, Analysis Id = 1e80f53fcfc43038b4522c308cf5ae26, Details = None

Go to Monitor/File Analysis to see a report of all the files your ESA uploads if you click through the various links you can see the file analysis too.

PankajSharma1807 · ‎07-18-2019

Hi,

You can refer below blog where you will get a clear understanding of new AMP process.

https://blogs.cisco.com/security/deep-dive-into-amp-and-threat-grid-integration-with-cisco-email-security