Cisco ESA AMP - File analysis upload delay

rolelael · ‎11-05-2020

Currently we are facing the issue that there is an inconsistency found by the number of mails that is in the file analysis quarantine ( max of 1 hour = default value ) and the number of samples being scanned in treatgrid ( we have a threatgrid login ) .

Also the stats of the appliances states for example that for the last 24hours on one esa, an amount of ex. 106 files have been uploaded for analysis. But we see a lot of more mails in de file analysis quaratine.....for that appliance. We have approx 20-30 mails every hour..

Also the majority runs into the max delay of 1 hour, and gets released. If we look at the 'debug' logs of amp it seems no verdict has come back or ...... the amp process does not notify the esa correctly of being analysed correctly

We checked our logs, and it seems this is rather a long time ongoing ( for a few months ) = not easy to check

There are no errors/warnings in the amp logs etc

And some mails do get analysis but get a verdict within 15 minutes ( which was always since I rmemember a 'normal' delay when a file is being sandboxed ) ... But now for the majority not a single verdict within the hour ?

Leads to some 'angry' customers

Libin Varghese · ‎11-05-2020

Hi,

The explained scenario certainly does not appear to be normal, based on the version running on the appliances it could be a defect or something else that TAC would want to have a look at.

Files could end up sitting in the quarantine and expire if either the file was never uploaded or if after it was uploaded we didn't get a verdict on query, or we never queried of a verdict.

Since reasons could be multiple, TAC would be in a better position to confirm after review of the logs.

Regards,

Libin

rolelael · ‎11-05-2020

TAC case is open

Just wanted to check here on the forum

I'll keep this post updated