Solved: AMP not sending unknown files for file analysis

USD SmartAlerts · ‎08-20-2019

I am trying to get AMP for ESA set up on our IronPort C170 appliance running ASyncOS 11.0.3. I believe I have my settings correct, however, files that have a verdict of unknown are not being uploaded for analysis. Perhaps I'm missing something? I have made sure that file analysis is enabled for all supported file types. Any help would be greatly appreciated.

dmccabej · ‎08-21-2019

Hello,

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload.

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm.

Thanks!

-Dennis M.

View solution in original post

ppreenja · ‎08-20-2019

Hi,

To make sure that the unknown files are sent for file analysis, please take care of the below steps:

1) Make sure that your feature key for "File Analysis" is active and enabled (System Administration-->Feature Keys).
2) Goto Security Services-->File Reputation and Analysis and make sure File Analysis is Enabled. If not click "Edit Settings".
3) Make sure that File types are selected and the server is configured correctly.
4) Go to Mail Policies-->Incoming Mail Policy-->Click on the link under "Advance Malware Protection" for the given policy which is hitting the email.
5) Make sure "Enable File Analysis" checkbox is checked.

Also, please find below the articles that might come handy to check on your configuration:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010000.pdf
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-esa-00.html

I hope the above information helps!

BR,
Pratham

dmccabej · ‎08-21-2019

Hello,

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload.

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm.

Thanks!

-Dennis M.

USD SmartAlerts · ‎08-21-2019

Thank you everyone for your help with this. In reviewing the AMP log, I found that it does show that the 'UNKNOWN' file was not sent for analysis and gives the reason as 'No active/dynamic contents exists'. In reading other posts and the documentation, I now understand that newer versions of AMP are designed to be smarter. When an unknown verdict is reached, the file is then scanned further to determine if there is any content that could be deemed potentially harmful (macros for example). If the file does not contain any content of this nature, it does not waste resources by uploading the file. I was able to test this using an Excel file with an embedded macro to ensure that uploads are indeed occurring when needed.