Solved: Re: Cisco ESA sending 'LOWRISK' files for analysis

mrjelly · ‎10-26-2023

Hello,

I have seen some behaviour in my ESA instance where emails with files showing as 'LOWRISK' in the message tracker logs are being sent for file analysis.

According to the Cisco docs this should not happen, would this be down to a File Analysis rating threshold set to higher than the default? At present mine is 95.

Thank you

Dustin Anderson · ‎10-27-2023

I believe the low risk is just file types that are not normally exploited, images etc. you can probably ignore that.

The way it works is you select the file types to upload in the ESA. I believe the ESA checks for all file hashes if there is known scan already. If there is no known scan, then it falls to either upload or not based on your settings. Lets say the attachment is a .XML and you have it set as an upload type. If there is no known scan, then it will upload it and wait for the results.

This is where your 95 score is used, if the threat score is 95 or above, it will mark it malicious and quarantine/drop the email based off your settings.

This is the crux of the system though, the threat score is an average and we have had malicious come through because other factors dropped the score down. We are set at 84 ourselves and still see some come through. Our best defense is we drop file types we know have no use in our business, and try to scan the rest. Keep in mind file upload scanning requires a license and I believe by default is only 200/day, so you don't want to turn everything on.

View solution in original post

Dustin Anderson · ‎10-26-2023

Files sent should be any type you have selected that there is no known value for the hash. The value is the threshold for containing the file based off the analysis. Any know hash should never get uploaded.

mrjelly · ‎10-27-2023

Hello,

thank you for getting back, can you try to help me understand that comment please?
Are you confirming that to stop ESA running 'LOWRISK' files through file analysis is to lower the File analysis threshold value?

I cannot see any configuration that shows setting up groups such as 'LOWRISK' in the Cisco documentation.

thank you

Dustin Anderson · ‎10-27-2023

I believe the low risk is just file types that are not normally exploited, images etc. you can probably ignore that.

The way it works is you select the file types to upload in the ESA. I believe the ESA checks for all file hashes if there is known scan already. If there is no known scan, then it falls to either upload or not based on your settings. Lets say the attachment is a .XML and you have it set as an upload type. If there is no known scan, then it will upload it and wait for the results.

This is where your 95 score is used, if the threat score is 95 or above, it will mark it malicious and quarantine/drop the email based off your settings.

This is the crux of the system though, the threat score is an average and we have had malicious come through because other factors dropped the score down. We are set at 84 ourselves and still see some come through. Our best defense is we drop file types we know have no use in our business, and try to scan the rest. Keep in mind file upload scanning requires a license and I believe by default is only 200/day, so you don't want to turn everything on.

mrjelly · ‎10-27-2023

I see ok, so the file type determines whether they get analysed, and then the rating is the outcome of that scan and what happens.

Dustin Anderson · ‎10-27-2023

Yup, it will upload a file for analysis if the hash is unknown, and you have selected that type to be submitted. See my below example. In my below example, .xls is not submitted, but .xlsm is due to macros.

We have to use a multi-layered approach as something will get past one system and hopefully caught in a different. ESA, O365, AV on system etc.