Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1593
Views
0
Helpful
4
Replies

Malware disposition changes to Unknown randomly

syed.mohsin
Level 1
Level 1

‎12-06-2017 12:22 AM - edited ‎03-08-2019 07:29 PM

Hi, We have deployed ASA since last few months, everything is working fine, but we have observe that sometimes if a file is declared Malware disposition from Cisco Cloud, it randomly changes to 'unknown' and that malicious file passed on to internal network with action Malware cloud lookup. Due to this abnormal behavior we are receiving multiple malicious file passing from ASA. Snapshot is attached.

FMC Version:6.2.1 (build 342)

ASA Version 9.5

 Why Malware disposition changes randomly to Unknown? Is this normal behavior?

Thanks.

 

Labels:
Preview file
134 KB
Preview file
160 KB
0 Helpful
4 Replies 4

Libin Varghese
Cisco Employee
Cisco Employee

‎12-06-2017 01:56 AM

I would recommend posting this query to the dedicated support forums for ASA.

 

For AMP integrated with ESA, it would be normal for a file to be initially classified as unknown and later malicious which results in a retrospective verdict.

 

From the ESA end user guide

Threat verdicts can change as new information emerges. A file may initially be evaluated as unknown or
clean, and the file may therefore be released to the recipient. If the threat verdict changes as new information becomes available, you will be alerted, and the file and its new verdict appear in the AMP Verdict Updates report. You can investigate the point-of-entry message as a starting point to remediating any impacts of the threat.

 

However, you may want to confirm if ASA performs differently in that scenario.

 

Regards,

Libin Varghese

0 Helpful

syed.mohsin
Level 1
Level 1
In response to Libin Varghese

‎12-06-2017 03:11 AM

Hi, thanks for the response. I don't know how it is in email category, well my case is different, as I have shared screen shot, unknown disposition is occurring after malware disposition. I have no concerns if it initially say unknown, but problem here is that a malware file after long time changes to unknown and then change back to malware. This is abnormal.

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to syed.mohsin

‎12-06-2017 03:17 AM

I see AMP forum here where you can try posting this query.

 

https://supportforums.cisco.com/t5/advanced-malware-protection-amp/bd-p/12249516-discussions-amp

 

To post to dedicated product forum you can select one of the forums here:

 

https://supportforums.cisco.com/t5/security/ct-p/4561-security

 

- Libin V

0 Helpful

syed.mohsin
Level 1
Level 1
In response to Libin Varghese

‎12-06-2017 03:29 AM

Thanks. I have posted it there.

0 Helpful
Customers Also Viewed These Support Documents