cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2685
Views
5
Helpful
7
Replies

High Count of Unknown Disposition by AMP

jackson_j16
Level 1
Level 1

Hello, When we review the SMA report for Files dispositioned by AMP feature, we are seeing a high amount of Unknown Dispositions. How can we improve this?

E.g. 1 Day view

image.png

7 Replies 7

SriramV
Cisco Employee
Cisco Employee

can you share info about what kind of files types are sent to AMP ?

Our configuration is to upload all File types that`s available from Cisco ESA.

First need to check which file type causing unknown disposition. follow this troubleshooting guide to narrow down the issue 

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-esa-00.html

 

Relatively similar question was already answered by community member. 

https://community.cisco.com/t5/email-security/esa-amp-two-cases/td-p/3908546

 

 

There is a variety of different file types (e.g. Xlsx, pdf, html etc) that are in Unknown Disposition.

image.png

Rise a TAC Case. as they can analyse the sample data and respective logs.

Hi Sriram - We have opened ticket in July last year and TACs Answer was that "Unknown is a disposition for the attachments given by the file reputation server, it is not necessary that all the Unknown verdicts will be uploaded to the File Analysis servers as it depends on the pre-classification engine and criteria on how they will behave when downloaded. If there is an Active/Dynamic content on the file that is only when it is uploaded."

This explanation is concerning to me, so let me know if its not a legitimate concern:

- Email Security Device are supposed to be the primary defense mechanism and so 89% of the emails with attachments that are not known to Cisco`s File Analysis servers, will not be further analyzed before being released to the user is concerning

- As, this 89% means there is potential of some % emails from that with malicious content to reach the users.

- Though there is retrospective action, but the fact that 89% of emails being allowed in the 1st place is a huge number

Does Cisco doesn't see the risk with this?

TAC is correct, TAC must have analysed before responding to such issues.

if there is no Active / Dynamic content in attachment, why do we need to analyse further. 

 

ESA AMP engine uses libclamav library, ClamAV does pre-classification for the AMP and reviews the attachments in the emails to determine if this needs to be uploaded to the file analysis server.

 

if you are still skeptical about the amp engine, send a Malware attachment and verify it. if this fails then your concern legitimate.

 

Malware (malicious software) are any script or binary code (executables, binary shell code, script, and firmware)that performs some malicious activity. simple way to test is, just by adding some macros in ms office doc or excel.