Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2308
Views
5
Helpful
1
Replies

AMP status Unknown

fbaum
Level 1
Level 1

‎07-02-2021 04:02 AM

I noticed in the ESA AMP report that almost all incoming files handled by AMP have status unknown.

 

Is this indicative of a problem in the configuration or is that to be expected? Ony 13 malicious files were found over a 90 day period which seems extremely low.

Labels:
Preview file
55 KB
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎07-04-2021 04:27 PM

Hey fbaum,

 

I can safely say; unknowns aren't a bad thing.

To give some insight..

 

Say your ESA received an email with an attachment.

Attachment has a SHA256 not known to the File Reputation Database; the ESA will then get triggered to do a scan to check whether or not this Unknown SHA256 has dynamic content or not.

 

If not, the ESA leaves it with the AMP verdict - UNKNOWN

If the content does have dynamic content, the ESA will mark it as UNKNOWN (File Analysis Pending)

Then sends this file to ThreatGrid for sandboxing (Note: this is reliant on your file analysis supported filetypes to send configured via the Security Services -> File Reputation and Analysis settings)

 

After ThreatGrid finishes it's sandboxing it'll give a score verdict against the file.

If the File's SHA256 is determined as malicious by ThreatGrid, your ESA will release the email from file analysis quarantine (dependent on your settings) and the verdict will be changed from UNKNOWN (File Analysis Pending) to Malicious.

 

Now; any new emails with this same SHA will be flagged as malicious.

 

UNKNOWN could mean two items:

1) Not known the database, no dynamic content thus not sandboxed, kept as unknown even if the same SHA256 was coming in through a second email

2) not known to database, sent for file analysis; analysis results determined it's benign (there's a score threshold), AMP keeps the unknown verdict.

 

The item 2 and 3 is why you see a steady high rate of "Unknown" as unknown could potentially mean it's been scanned, and known but benign so it keeps that unknown verdict.

 

a clean verdict is only applied under very specific circumstances.

 

Regards,

Mathew

Customers Also Viewed These Support Documents