cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2276
Views
0
Helpful
1
Replies

ESA AMP two cases

Oleg Volkov
Spotlight
Spotlight

Hello!

I have two test files, AMP results:

one:

4 Aug 2019 15:43:30 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:43:32 (GMT +03:00)14 Aug 2019 15:54:25 (GMT +03:00)14 Aug 2019 18:03:54 (GMT +03:00)
Response received for file reputation query from Cloud. File Name = sample (40).bin.gz, MID = 41090, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070, upload_action = Recommended to send the file for analysis
Message 41090 scanned by Advanced Malware Protection engine. Final verdict: UNKNOWN(File analysis pending)
Message 41090 contains attachment 'sample (40).bin.gz' (SHA256 fe617b89b078bd39fa2a03745cd38a61722ae5f4fff9d08b6381711946277070).
Message 41090 attachment 'sample (40).bin.gz' archive contents unpacked for processing.
Message 41090 attachment 'sample (40).bin.gz' scanned by Advanced Malware Protection engine. File Disposition: Unknown
Message 41090 attachment 'data' scanned by Advanced Malware Protection engine. File Disposition: Unknown
Message 41090 scanned by Outbreak Filters. Verdict: Negative
Message 41090 queued for delivery.
File analysis complete. MID = 41090, SHA256 = [b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c], File Name = data, Submit Timestamp = 1565786611, Update Timestamp = 1565787264, Disposition = 3, Score = 95, Analysis Id = 1b022a95de0f7fcbec33e72284813eea, Details = W32.B8E0C51984-95.SBX.TG
Retrospective verdict received. MID = 41090, SHA256 = b8e0c51984012052e0669c7c20dd0b3f9375431979a9c4397fefe9a325c4ac5c, Timestamp = 1565795034.54, Verdict = MALICIOUS, Spyname = W32.RetroDetected


two:

14 Aug 2019 15:25:28 (GMT +03:00)14 Aug 2019 15:25:29 (GMT +03:00)14 Aug 2019 15:25:29 (GMT +03:00)14 Aug 2019 15:25:29 (GMT +03:00)14 Aug 2019 15:25:29 (GMT +03:00)14 Aug 2019 15:25:29 (GMT +03:00)14 Aug 2019 15:25:30 (GMT +03:00)14 Aug 2019 15:25:30 (GMT +03:00)
Response received for file reputation query from Cloud. File Name = sample (33).bin.gz, MID = 41077, Disposition = FILE UNKNOWN, Malware = None, Analysis Score = 0, sha256 = 58c4666c336e5bd2a2112c7dcaf76b10699e4327e9d0bccb68de6519fa441091, upload_action = Recommended to send the file for analysis
Message 41077 scanned by Advanced Malware Protection engine. Final verdict: UNKNOWN
Message 41077 contains attachment 'sample (33).bin.gz' (SHA256 58c4666c336e5bd2a2112c7dcaf76b10699e4327e9d0bccb68de6519fa441091).
Message 41077 attachment 'sample (33).bin.gz' archive contents unpacked for processing.
Message 41077 attachment 'sample (33).bin.gz' scanned by Advanced Malware Protection engine. File Disposition: Unknown
Message 41077 attachment 'data' scanned by Advanced Malware Protection engine. File Disposition: Unknown
Message 41077 scanned by Outbreak Filters. Verdict: Negative
Message 41077 queued for delivery.


Why in second case, I not see "File analysis complete" message?

And both cases TrendMicro show:

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee
Hi Oleg Volkov,

To answer your query, in the first the file analysis is completed and it might be showing you the retrospective verdict which gets populated in the message tracking at a later point of time when the AMP has analyzed the attachment file.
In the second scenario, AMP is yet to complete the analysis and share with you the retrospective verdict. Once the AMP has completed the analysis, you should be able to see the same populated in the message tracking at the later point of time.

I hope the above explains.

BR,
Pratham