Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1686
Views
5
Helpful
2
Replies

Cisco ESA AMP - File analysis upload delay

rolelael
Level 1
Level 1

‎11-05-2020 10:16 PM

Currently we are facing the issue that there is an inconsistency found by the number of mails that is in the file analysis quarantine ( max of 1 hour = default value ) and the number of samples being scanned in treatgrid ( we have a threatgrid login ) .

 

Also the stats of the appliances states for example that for the last 24hours on one esa, an amount of ex. 106 files have been uploaded for analysis. But we see a lot of more mails in de file analysis quaratine.....for that appliance. We have approx 20-30 mails every hour.. 

 

Also the majority runs into the max delay of 1 hour, and gets released. If we look at the 'debug' logs of amp it seems no verdict has come back or ...... the amp process does not notify the esa correctly of being analysed correctly

 

We checked our logs, and it seems this is rather a long time ongoing ( for a few months ) = not easy to check

 

There are no errors/warnings in the amp logs etc

 

And some mails do get analysis but get a verdict within 15 minutes ( which was always since I rmemember a 'normal' delay when a file is being sandboxed ) ... But now for the majority not a single verdict within the hour ?

 

Leads to some 'angry' customers

 

 

Labels:
2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

‎11-05-2020 10:32 PM

Hi,

 

The explained scenario certainly does not appear to be normal, based on the version running on the appliances it could be a defect or something else that TAC would want to have a look at.

 

Files could end up sitting in the quarantine and expire if either the file was never uploaded or if after it was uploaded we didn't get a verdict on query, or we never queried of a verdict.

 

Since reasons could be multiple, TAC would be in a better position to confirm after review of the logs.

 

Regards,

Libin

0 Helpful

rolelael
Level 1
Level 1
In response to Libin Varghese

‎11-05-2020 10:39 PM

TAC case is open

 

Just wanted to check here on the forum

 

I'll keep this post updated

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents