Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
2
Replies

ESA - AMP Reporting: Total Items scanned?

kbachemin1
Level 1
Level 1

‎09-12-2016 09:59 AM

Does anyone know if there is a way to get the total number of items scanned by the AMP feature aside of getting the number of items AMP actually stopped? I've looked through a number of the console screens but none seem to give that indication of total scanned in any sort of simple report.

thanks

Labels:
0 Helpful
2 Replies 2

Jernej Vodopivec
Level 4
Level 4

‎09-12-2016 11:34 AM

Hi, this  is coming with AsyncOS 10 (first and third bullets):

Advanced Malware Protection page includes the following enhancements:

  • A new graph that shows the incoming files handled by AMP in percentage based on the verdicts (Clean, Malicious, Unknown, Unscannable).
  • A new graph that shows the top incoming malware files based on the file types.
  • A new table that shows the number of incoming files handled by AMP based on the verdicts (Clean, Malicious, Unknown, Unscannable). Click on the file count to view the related messages in Message Tracking.
  • Incoming Malware Threat Files Report
    • Incoming Malware Threat Files report now shows the name of the file(s) associated with a SHA-256 hash.
    • If you click on a SHA-256 hash, a new page that shows file reputation and analysis summary for the specified SHA-256 hash is displayed.
    • Click on the number of infected messages to view the related messages in Message Tracking.

Don't forget to check maximums for AMP Threat Grid file submission: http://www.cisco.com/c/dam/en/us/td/docs/security/content_security/content_security_general/Content-security-file-reputation-and-analysis-criteria.pdf

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎09-12-2016 01:42 PM

Hi,

I do not see a report to do so as AMP ideally would scan all emails with attachments, file reputation evaluates most file types.

We could however grep the mail_logs to get a rough count.

grep "Sep.*AMP file reputation verdict" mail_logs -c

Here -c is used to get a count of all entries that match the term "AMP file reputation verdict" for the month of September.

Since the file reputation verdict is the first step in AMP scanning this should give you a close enough count.

You can modify the first part of the search term to vary the date or month to look for.

For instance:
grep "Sep 5.*AMP file reputation verdict" mail_logs -c
grep "Sep 10.*AMP file reputation verdict" mail_logs -c
grep "Jul.*AMP file reputation verdict" mail_logs -c

Thanks
Libin

0 Helpful
Customers Also Viewed These Support Documents