Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1440
Views
0
Helpful
0
Replies

ESA AMP Failure to Identify Known Malicious Hash

Navar
Level 1
Level 1

‎03-19-2019 08:04 AM

Had an email with a PDF attachment that ESA AMP gave a disposition of LowRisk,  then 3 1/2 hours later changed the attachment to Malicious.  This is good but why didn't ESA AMP catch it the first time?  I ask this because Talos File Reputation lists the Date Detection Created as 05/01/2018.  The e-mail was delivered to us on 3/11/2019.

So why did ESA AMP give the PDF a LowRisk when Talos File Reputation knew about the Malicious Hash for 10 months?

This is very concerning and my trust in AMP is dropping.

I am going to guess that AMP's failure to identify known malicious files is related to the known AMP bug. CSCvg48611

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg48611

ESA AMP will ignores all AMP selections that you have set for File Analysis if AMP gives a Disposition of LowRisk.  Scary.

 

SHA256

87136b978a3bd48adc9e8dfa4875407c80a462681961e202f1deabe5b5ff65cd

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents