cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3980
Views
5
Helpful
3
Replies

ESA AMP Behavior

eduardo0407
Level 1
Level 1

Hello.

I would like to ask if the following behavior is normal for AMP: I've changed the AMP Policy to quarantine messages with pending file analysis. After that, almost all messages with attachments (supported ones) are quarantined, and the file analysis takes (normally) about 6-8 minutes. Some files take longer to be analyzed, and the maximum retention time is 60 minutes.

Is it an expected behavior to send all unknown supported files to the cloud for analysis? If I create a new Excel/DOC file and send to the ESA, will it be sent to the cloud? If so, how much time would this take? Isn't there some local analysis/heuristics to determine that the file is safe and is not needed to send it to the cloud?

In a production environment (not a big one) the analysis takes about 6-8 minutes. In a test environment it takes just a few seconds. Is it a best practice to configure the policy to deliver files with pending analysis or to quarantine them?

Thanks in advance..

1 Accepted Solution

Accepted Solutions

Unfortunately, not much documentation is available on the preclassification engine. 

There is an active feature request to include details in the end user guide for future releases.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz06937/?reffering_site=dumpcr

The preclassification engine (ClamAV) performs an initial analysis of certain filetypes to determine if they have indicators of malicious behavior, such as the presence of macros in Office documents. I'm not privy to the exact criteria which is considered proprietary information.

The time taken to complete the analysis could vary and I would think time between 5-15 minutes are considered normal.

You can certainly reduce the retention time for the file analysis quarantine if you feel the need to do so. The file analysis would still continue on the cloud server even after the email is released from the quarantine.

The action for emails with file analysis pending depends on the organization, default configuration is deliver to avoid delays in email delivery. You can certainly test out AMP for certain recipients by adding them to a separate incoming mail policy before enabling it for all internal users.

- Libin V

View solution in original post

3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

The default configuration is to deliver emails with attachments file analysis pending. This can be changed to quarantine as required.

AMP has a preclassification engine on board which can bypass attachments being uploaded to the cloud. In all other cases the attachments would be uploaded to the cloud, which is normal.

Depending on the type of file and other factors the analysis time may vary.

If there are business critical emails from trusted senders you can certainly create a separate incoming mail policy for them to deliver attachments with analysis pending while still quarantining emails from other senders.

Thank You!

Libin Varghese

Thank you for your answer! I just have some more questions.

Do you have more information about the preclassification engine?

In my example of the Excel file, if I just fill in a few cells and send to the ESA, is it normal for the analysis to take 6 minutes to be completed? 

Is there some tuning that I can do to improve the overall performance of the AMP? Reducing the retention time of the File Analysis Quarantine, maybe? The analysis is interrupted when the file is released from the quarantine (after 60 minutes)?

One last question: the recommended configuration is to deliver those messages to the users or to quarantine them to the File Analysis Quarantine? 

Thanks in advance.

Unfortunately, not much documentation is available on the preclassification engine. 

There is an active feature request to include details in the end user guide for future releases.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz06937/?reffering_site=dumpcr

The preclassification engine (ClamAV) performs an initial analysis of certain filetypes to determine if they have indicators of malicious behavior, such as the presence of macros in Office documents. I'm not privy to the exact criteria which is considered proprietary information.

The time taken to complete the analysis could vary and I would think time between 5-15 minutes are considered normal.

You can certainly reduce the retention time for the file analysis quarantine if you feel the need to do so. The file analysis would still continue on the cloud server even after the email is released from the quarantine.

The action for emails with file analysis pending depends on the organization, default configuration is deliver to avoid delays in email delivery. You can certainly test out AMP for certain recipients by adding them to a separate incoming mail policy before enabling it for all internal users.

- Libin V