Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2872
Views
0
Helpful
5
Replies

IronPort Inbound File Analysis Report

Go to solution
anotthak8
Level 1
Level 1

‎05-04-2016 01:55 PM

I am trying to determine why a message with a malicious file will go through file analysis but that hash will not show up in the file analysis report.

However, this same hash will show up in the AMP verdict update reports.

Any insight or information will be helpful. Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to anotthak8

‎05-06-2016 04:55 AM

Checking internal tools at this time, I see that SHA as malicious from our cloud.  More than likely, when it passed through your appliance originally, it had not been seen enough to tip the scoring to malicious+.  File Analysis should occur each time a file type matches the characteristics of the AMP engine and passes the pre-classification checks.  There are times when File Analysis does occur, and a file is fresh/new enough - where it has not been seen/submitted enough to have the general scoring judged.

At this time, when downloading and attempting to use that hash - ThreatGRID detects it as malicious.  In this instance - retrospection did it's job, and alerted you of the change in disposition of the SHA.

Here is local logs of that SHA:

May 6 04:44:32 [59] <Notice>: [scan]:[notice]:[file_processor.c@416]:[11748121]: file /Users/robsherw/Downloads/e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.crdownload has disposition MALICIOUS (sha256:E5CBEEAEC2935CC0008353EA304AF53EA243DA98D359699A634FD1FAA62C6FCE, name:DOC.E5CBEEAEC2.malicious.tht.Talos)

Final determination was based that this is name:DOC.E5CBEEAEC2.malicious.tht.Talos

-Robert

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎05-04-2016 07:27 PM

Do you have the SHA?

Have you checked via Virustotal?  Usually, most of our tools crawl against the current definitions from VirusTotal as well, and are usually pretty accurate in comparison.

It may have not scored high enough when first passed through File Reputation that it was not deemed needed to send for File Analysis.  Or, if the file was sent for File Analysis, at the time it still may not have been malicious scoring.  If you can provide the SHA, can look into further.

Or - review the SHA as per the AMP logs as well.

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
anotthak8
Level 1
Level 1
In response to Robert Sherwin

‎05-04-2016 08:41 PM

I have checked VirusTotal. It has a detection ratio of 15/56.

SHA256: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce

I believe it did get sent for file analysis because details stated that AMP verdict was "file unknown" and "enqueued for transfer to centralized quarantine File Analysis". Does file analysis only happen for a certain amount of time the lenave file analysis for retrospection analysis? The hash above was initially seen on 4/26 and the AMP verdict update returned with a malicious update for the hash 3 days later.

Thanks again Robert!

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to anotthak8

‎05-06-2016 04:55 AM

Checking internal tools at this time, I see that SHA as malicious from our cloud.  More than likely, when it passed through your appliance originally, it had not been seen enough to tip the scoring to malicious+.  File Analysis should occur each time a file type matches the characteristics of the AMP engine and passes the pre-classification checks.  There are times when File Analysis does occur, and a file is fresh/new enough - where it has not been seen/submitted enough to have the general scoring judged.

At this time, when downloading and attempting to use that hash - ThreatGRID detects it as malicious.  In this instance - retrospection did it's job, and alerted you of the change in disposition of the SHA.

Here is local logs of that SHA:

May 6 04:44:32 [59] <Notice>: [scan]:[notice]:[file_processor.c@416]:[11748121]: file /Users/robsherw/Downloads/e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.crdownload has disposition MALICIOUS (sha256:E5CBEEAEC2935CC0008353EA304AF53EA243DA98D359699A634FD1FAA62C6FCE, name:DOC.E5CBEEAEC2.malicious.tht.Talos)

Final determination was based that this is name:DOC.E5CBEEAEC2.malicious.tht.Talos

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Robert Sherwin

‎05-06-2016 06:42 AM

Since I poked this file, generated the report:

File Name: e5cbeeaec2935cc0008353ea304af53ea243da98d359699a634fd1faa62c6fce.doc
File Size: 108 KB
File Magic: Composite Document File V2 Document
Last Analyzed: 2016-05-06 11:52:17 UTC

Overload of the ThreatGRID report attached, if you wish to see/find out more...

-Robert

Cheers,
Robert Sherwin
Preview file
2802 KB
0 Helpful

Go to solution
anotthak8
Level 1
Level 1
In response to Robert Sherwin

‎05-06-2016 07:07 AM

Thank you for this well detailed response! How do we determine if a message went through file analysis? Will every unknown file go through file analysis?

0 Helpful
Customers Also Viewed These Support Documents