Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2372
Views
5
Helpful
7
Replies

High Count of Unknown Disposition by AMP

jackson_j16
Level 1
Level 1

‎06-09-2021 09:52 AM

Hello, When we review the SMA report for Files dispositioned by AMP feature, we are seeing a high amount of Unknown Dispositions. How can we improve this?

E.g. 1 Day view

image.png

Labels:
7 Replies 7

SriramV
Cisco Employee
Cisco Employee

‎06-09-2021 10:35 AM

can you share info about what kind of files types are sent to AMP ?

0 Helpful

jackson_j16
Level 1
Level 1
In response to SriramV

‎06-09-2021 10:57 AM

Our configuration is to upload all File types that`s available from Cisco ESA.

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to jackson_j16

‎06-10-2021 01:10 AM

First need to check which file type causing unknown disposition. follow this troubleshooting guide to narrow down the issue 

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118796-technote-esa-00.html

 

Relatively similar question was already answered by community member. 

https://community.cisco.com/t5/email-security/esa-amp-two-cases/td-p/3908546

 

 

0 Helpful

jackson_j16
Level 1
Level 1
In response to SriramV

‎06-10-2021 07:34 AM

There is a variety of different file types (e.g. Xlsx, pdf, html etc) that are in Unknown Disposition.

image.png

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to jackson_j16

‎06-10-2021 11:45 PM

Rise a TAC Case. as they can analyse the sample data and respective logs.

0 Helpful

jackson_j16
Level 1
Level 1
In response to SriramV

‎06-14-2021 03:20 AM

Hi Sriram - We have opened ticket in July last year and TACs Answer was that "Unknown is a disposition for the attachments given by the file reputation server, it is not necessary that all the Unknown verdicts will be uploaded to the File Analysis servers as it depends on the pre-classification engine and criteria on how they will behave when downloaded. If there is an Active/Dynamic content on the file that is only when it is uploaded."

This explanation is concerning to me, so let me know if its not a legitimate concern:

- Email Security Device are supposed to be the primary defense mechanism and so 89% of the emails with attachments that are not known to Cisco`s File Analysis servers, will not be further analyzed before being released to the user is concerning

- As, this 89% means there is potential of some % emails from that with malicious content to reach the users.

- Though there is retrospective action, but the fact that 89% of emails being allowed in the 1st place is a huge number

Does Cisco doesn't see the risk with this?

0 Helpful

SriramV
Cisco Employee
Cisco Employee
In response to jackson_j16

‎06-14-2021 05:37 AM

TAC is correct, TAC must have analysed before responding to such issues.

if there is no Active / Dynamic content in attachment, why do we need to analyse further. 

 

ESA AMP engine uses libclamav library, ClamAV does pre-classification for the AMP and reviews the attachments in the emails to determine if this needs to be uploaded to the file analysis server.

 

if you are still skeptical about the amp engine, send a Malware attachment and verify it. if this fails then your concern legitimate.

 

Malware (malicious software) are any script or binary code (executables, binary shell code, script, and firmware)that performs some malicious activity. simple way to test is, just by adding some macros in ms office doc or excel.

0 Helpful
Customers Also Viewed These Support Documents