Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4130
Views
5
Helpful
3
Replies

AMP not sending unknown files for file analysis

Go to solution
USD SmartAlerts
Level 1
Level 1

‎08-20-2019 02:02 PM

I am trying to get AMP for ESA set up on our IronPort C170 appliance running ASyncOS 11.0.3. I believe I have my settings correct, however, files that have a verdict of unknown are not being uploaded for analysis. Perhaps I'm missing something? I have made sure that file analysis is enabled for all supported file types. Any help would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-21-2019 07:51 AM

Hello,

 

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload. 

 

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm. 

 

Thanks!

-Dennis M.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎08-20-2019 10:41 PM

Hi,

To make sure that the unknown files are sent for file analysis, please take care of the below steps:

1) Make sure that your feature key for "File Analysis" is active and enabled (System Administration-->Feature Keys).
2) Goto Security Services-->File Reputation and Analysis and make sure File Analysis is Enabled. If not click "Edit Settings".
3) Make sure that File types are selected and the server is configured correctly.
4) Go to Mail Policies-->Incoming Mail Policy-->Click on the link under "Advance Malware Protection" for the given policy which is hitting the email.
5) Make sure "Enable File Analysis" checkbox is checked.

Also, please find below the articles that might come handy to check on your configuration:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_010000.pdf
https://www.cisco.com/c/en/us/support/docs/security/sourcefire-amp-appliances/118121-technote-sourcefire-00.html
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-esa-00.html

I hope the above information helps!

BR,
Pratham

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-21-2019 07:51 AM

Hello,

 

In addition to what Pratham has already mentioned, an Unknown verdict does not automatically mean the file is uploaded to Threatgrid for File Analysis. There is a pre-classification process on the ESA where the file is further checked prior to upload for File Analysis, if there are additional markers where we deem it needs further scanning, then it is uploaded. If we look at the file and it appears safe, then we let it proceed onward without upload. 

 

You should be able to go through the AMP logs to see exactly why/why not these files may have not been uploaded. Feel free to share some of the logs if needed as well and we can help confirm. 

 

Thanks!

-Dennis M.

0 Helpful

Go to solution
USD SmartAlerts
Level 1
Level 1

‎08-21-2019 09:03 AM

Thank you everyone for your help with this. In reviewing the AMP log, I found that it does show that the 'UNKNOWN' file was not sent for analysis and gives the reason as 'No active/dynamic contents exists'. In reading other posts and the documentation, I now understand that newer versions of AMP are designed to be smarter. When an unknown verdict is reached, the file is then scanned further to determine if there is any content that could be deemed potentially harmful (macros for example). If the file does not contain any content of this nature, it does not waste resources by uploading the file. I was able to test this using an Excel file with an embedded macro to ensure that uploads are indeed occurring when needed.

0 Helpful
Top