Solved: Re: File Analysis Threshold Score

Dustin Anderson · ‎07-05-2022

So, we have some files sent to file analysis that come back as no malware detected, but even on the analysis it comes back as very high threat.

Here is the file in question:

https://panacea.threatgrid.com/csa/v3/report/html?hash=44adf51d2071a919309dea53551c8ab377eb4ead8477c518688c958969654a76&sample=514270b3c23c037808d0ea2e933229ec&apikey=2iu8a1rua8gc9cd05ej9lur0ma

So, I'm guessing it's since the default threat level is 95 and this scored an 85. My question is what do people set this to not be to harsh and stop phishing

Thanks,

UdupiKrishna · ‎07-06-2022

While TAC do not generally recommend reducing the score below default (90), I have seen customers playing around between 80 - 85. But this was brought up to TAC since some of those were false positive detections due to low threshold score than what AMP provides as a final verdict.

This is always a bit of hit and miss. You can monitor them for a while to understand the overall symptoms. But be careful about setting the action to drop since you may end up loosing genuine emails.

View solution in original post

UdupiKrishna · ‎07-06-2022

While TAC do not generally recommend reducing the score below default (90), I have seen customers playing around between 80 - 85. But this was brought up to TAC since some of those were false positive detections due to low threshold score than what AMP provides as a final verdict.

This is always a bit of hit and miss. You can monitor them for a while to understand the overall symptoms. But be careful about setting the action to drop since you may end up loosing genuine emails.

Dustin Anderson · ‎07-06-2022

Yeah, looking at others, I see some legit hitting around a score of 81. We are going to try 85 and see what happens.

On a side note, we have 3 ESAs all same model and code version. 1 has a default of 95, the other 2 had a default of 90.