cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3385
Views
5
Helpful
3
Replies

AMP not sending unknown files for file analysis

USD SmartAlerts
Level 1
Level 1

I am trying to get AMP for ESA set up on our IronPort C170 appliance running ASyncOS 11.0.3. I believe I have my settings correct, however, files that have a verdict of unknown are not being uploaded for analysis. Perhaps I'm missing something? I have made sure that file analysis is enabled for all supported file types. Any help would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload. 

 

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm. 

 

Thanks!

-Dennis M.

View solution in original post

3 Replies 3

ppreenja
Cisco Employee
Cisco Employee
Hi,

To make sure that the unknown files are sent for file analysis, please take care of the below steps:

1) Make sure that your feature key for "File Analysis" is active and enabled (System Administration-->Feature Keys).
2) Goto Security Services-->File Reputation and Analysis and make sure File Analysis is Enabled. If not click "Edit Settings".
3) Make sure that File types are selected and the server is configured correctly.
4) Go to Mail Policies-->Incoming Mail Policy-->Click on the link under "Advance Malware Protection" for the given policy which is hitting the email.
5) Make sure "Enable File Analysis" checkbox is checked.

Also, please find below the articles that might come handy to check on your configuration:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010000.pdf
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-esa-00.html

I hope the above information helps!

BR,
Pratham

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload. 

 

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm. 

 

Thanks!

-Dennis M.

USD SmartAlerts
Level 1
Level 1

Thank you everyone for your help with this. In reviewing the AMP log, I found that it does show that the 'UNKNOWN' file was not sent for analysis and gives the reason as 'No active/dynamic contents exists'. In reading other posts and the documentation, I now understand that newer versions of AMP are designed to be smarter. When an unknown verdict is reached, the file is then scanned further to determine if there is any content that could be deemed potentially harmful (macros for example). If the file does not contain any content of this nature, it does not waste resources by uploading the file. I was able to test this using an Excel file with an embedded macro to ensure that uploads are indeed occurring when needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: