cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2900
Views
0
Helpful
5
Replies

IronPort Inbound File Analysis Report

anotthak8
Level 1
Level 1

I am trying to determine why a message with a malicious file will go through file analysis but that hash will not show up in the file analysis report.

However, this same hash will show up in the AMP verdict update reports.

Any insight or information will be helpful. Thank you in advance!

1 Accepted Solution

Accepted Solutions

Checking internal tools at this time, I see that SHA as malicious from our cloud.  More than likely, when it passed through your appliance originally, it had not been seen enough to tip the scoring to malicious+.  File Analysis should occur each time a file type matches the characteristics of the AMP engine and passes the pre-classification checks.  There are times when File Analysis does occur, and a file is fresh/new enough - where it has not been seen/submitted enough to have the general scoring judged.

At this time, when downloading and attempting to use that hash - ThreatGRID detects it as malicious.  In this instance - retrospection did it's job, and alerted you of the change in disposition of the SHA.

Here is local logs of that SHA:

May 6 04:44:32 [59] <Notice>: [scan]:[notice]:[file_processor.c@416]:[11748121]: file /Users/robsherw/Downloads/e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.crdownload has disposition MALICIOUS (sha256:E5CBEEAEC2935CC0008353EA304AF53EA243DA98D359699A634FD1FAA62C6FCE, name:DOC.E5CBEEAEC2.malicious.tht.Talos)

Final determination was based that this is name:DOC.E5CBEEAEC2.malicious.tht.Talos

-Robert

View solution in original post

5 Replies 5

Robert Sherwin
Cisco Employee
Cisco Employee

Do you have the SHA?

Have you checked via Virustotal?  Usually, most of our tools crawl against the current definitions from VirusTotal as well, and are usually pretty accurate in comparison.

It may have not scored high enough when first passed through File Reputation that it was not deemed needed to send for File Analysis.  Or, if the file was sent for File Analysis, at the time it still may not have been malicious scoring.  If you can provide the SHA, can look into further.

Or - review the SHA as per the AMP logs as well.

-Robert

I have checked VirusTotal. It has a detection ratio of 15/56.

SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce

I believe it did get sent for file analysis because details stated that AMP verdict was "file unknown" and "enqueued for transfer to centralized quarantine File Analysis". Does file analysis only happen for a certain amount of time the lenave file analysis for retrospection analysis? The hash above was initially seen on 4/26 and the AMP verdict update returned with a malicious update for the hash 3 days later.

Thanks again Robert!

Checking internal tools at this time, I see that SHA as malicious from our cloud.  More than likely, when it passed through your appliance originally, it had not been seen enough to tip the scoring to malicious+.  File Analysis should occur each time a file type matches the characteristics of the AMP engine and passes the pre-classification checks.  There are times when File Analysis does occur, and a file is fresh/new enough - where it has not been seen/submitted enough to have the general scoring judged.

At this time, when downloading and attempting to use that hash - ThreatGRID detects it as malicious.  In this instance - retrospection did it's job, and alerted you of the change in disposition of the SHA.

Here is local logs of that SHA:

May 6 04:44:32 [59] <Notice>: [scan]:[notice]:[file_processor.c@416]:[11748121]: file /Users/robsherw/Downloads/e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.crdownload has disposition MALICIOUS (sha256:E5CBEEAEC2935CC0008353EA304AF53EA243DA98D359699A634FD1FAA62C6FCE, name:DOC.E5CBEEAEC2.malicious.tht.Talos)

Final determination was based that this is name:DOC.E5CBEEAEC2.malicious.tht.Talos

-Robert

Since I poked this file, generated the report:

File Name: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc
File Size: 108 KB
File Magic: Composite Document File V2 Document
Last Analyzed: 2016-05-06 11:52:17 UTC

Overload of the ThreatGRID report attached, if you wish to see/find out more...

-Robert

Thank you for this well detailed response! How do we determine if a message went through file analysis? Will every unknown file go through file analysis?