Had an email with a PDF attachment that ESA AMP gave a disposition of LowRisk, then 3 1/2 hours later changed the attachment to Malicious. This is good but why didn't ESA AMP catch it the first time? I ask this because Talos File Reputation lists the Date Detection Created as 05/01/2018. The e-mail was delivered to us on 3/11/2019.
So why did ESA AMP give the PDF a LowRisk when Talos File Reputation knew about the Malicious Hash for 10 months?
This is very concerning and my trust in AMP is dropping.
I am going to guess that AMP's failure to identify known malicious files is related to the known AMP bug. CSCvg48611
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg48611
ESA AMP will ignores all AMP selections that you have set for File Analysis if AMP gives a Disposition of LowRisk. Scary.
SHA256
87136b978a3bd48adc9e8dfa4875407c80a462681961e202f1deabe5b5ff65cd