06-09-2021 09:52 AM
Hello, When we review the SMA report for Files dispositioned by AMP feature, we are seeing a high amount of Unknown Dispositions. How can we improve this?
E.g. 1 Day view
06-09-2021 10:35 AM
can you share info about what kind of files types are sent to AMP ?
06-09-2021 10:57 AM
Our configuration is to upload all File types that`s available from Cisco ESA.
06-10-2021 01:10 AM
First need to check which file type causing unknown disposition. follow this troubleshooting guide to narrow down the issue
Relatively similar question was already answered by community member.
https://community.cisco.com/t5/email-security/esa-amp-two-cases/td-p/3908546
06-10-2021 07:34 AM
There is a variety of different file types (e.g. Xlsx, pdf, html etc) that are in Unknown Disposition.
06-10-2021 11:45 PM
Rise a TAC Case. as they can analyse the sample data and respective logs.
06-14-2021 03:20 AM
Hi Sriram - We have opened ticket in July last year and TACs Answer was that "Unknown is a disposition for the attachments given by the file reputation server, it is not necessary that all the Unknown verdicts will be uploaded to the File Analysis servers as it depends on the pre-classification engine and criteria on how they will behave when downloaded. If there is an Active/Dynamic content on the file that is only when it is uploaded."
This explanation is concerning to me, so let me know if its not a legitimate concern:
- Email Security Device are supposed to be the primary defense mechanism and so 89% of the emails with attachments that are not known to Cisco`s File Analysis servers, will not be further analyzed before being released to the user is concerning
- As, this 89% means there is potential of some % emails from that with malicious content to reach the users.
- Though there is retrospective action, but the fact that 89% of emails being allowed in the 1st place is a huge number
Does Cisco doesn't see the risk with this?
06-14-2021 05:37 AM
TAC is correct, TAC must have analysed before responding to such issues.
if there is no Active / Dynamic content in attachment, why do we need to analyse further.
ESA AMP engine uses libclamav library, ClamAV does pre-classification for the AMP and reviews the attachments in the emails to determine if this needs to be uploaded to the file analysis server.
if you are still skeptical about the amp engine, send a Malware attachment and verify it. if this fails then your concern legitimate.
Malware (malicious software) are any script or binary code (executables, binary shell code, script, and firmware)that performs some malicious activity. simple way to test is, just by adding some macros in ms office doc or excel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide