Need some clearfication regarding Cisco Secure Email Gateway

rockbd · ‎09-08-2023

Hi all

I find the following message is a message processing details of a Cisco Secure Email Gateway. My query is whether the file "Documents for your perusal.zip" is sent to Cisco Cloud for analysis or Secure Malware Analytics (formerly Threat Grid) according to the flowing message processing details.

File reputation query initiating. File Name = Documents for your perusal.zip, MID = 9841058, File Size = 728066 bytes,
File Type = application/zip

Response received for file reputation query from Cloud. File Name = Documents for your perusal.zip, MID = 9841058,
Disposition = MALICIOUS, Malware = W32.09024911F3-95.SBX.TG, Analysis Score = 0, sha256 =
b89824f26a42f0bad7ecf170e76350e8a7c5f646d4cfb0fd14afd9d438770715, upload_action = Recommended to send
the file for analysis, Suspected Malware Categories = None

File not uploaded for analysis. MID = 9841058 File
SHA256[09024911f3d62ec33136c9bb207b1d74b8f8b613bd6179f5c2097e328e7f80ab] file mime[text/plain] Reason:
The file type is not configured for analysis

Message 9841058 scanned by Advanced Malware Protection engine. Final verdict: MALICIOUS

Message 9841058 contains attachment 'Documents for your perusal.zip' (SHA256
b89824f26a42f0bad7ecf170e76350e8a7c5f646d4cfb0fd14afd9d438770715).

Message 9841058 attachment 'Documents for your perusal.zip' archive contents unpacked for processing.

Message 9841058 attachment 'Documents for your perusal.bat' contains file 'Documents for your perusal.bat' (SHA256
09024911f3d62ec33136c9bb207b1d74b8f8b613bd6179f5c2097e328e7f80ab). Verdict: malicious.

Message 9841058 attachment 'Documents for your perusal.zip' scanned by Advanced Malware Protection engine. File
Disposition: Malicious, Spyname: W32.09024911F3-95.SBX.TG

Message 9841058 aborted: Dropped by amp.

Ken Stieers · ‎09-08-2023

No, the file was convicted already, without sending it up to TG.
You can check your AMP logs to confirm... you could also check ThreatGrid. If you don't have an account, you should talk to your sales team. There is an "Appliance Admin" account that will allow you to see what's going on from the TG point of view.

rockbd · ‎09-08-2023

Thanks for the reply. But I think the following log shows it is getting a verdict from TG or Cisco Cloud for analysis. What do you think?
File reputation query initiating. File Name = à¦•à§‹à¦°à§à¦Ÿ à¦ªà¦¿à¦Ÿà¦¿à¦¶à¦¨à¦¨à§‹à¦Ÿà¦¿à¦¶ - info.pdf .gz, MID = 9815023, File Size = 618152 bytes, File Type =application/x-rar
28 Aug 2023 10:28:07 (GMT +06:00)
Response received for file reputation query from Cloud. File Name = à¦•à§‹à¦°à§à¦Ÿ à¦ªà¦¿à¦Ÿà¦¿à¦¶à¦¨ à¦¨à§‹à¦Ÿà¦¿à¦¶ - info.pdf .gz, MID = 9815023, Disposition = MALICIOUS,
Key:
Last Event
Malware = W32.582008DD25-95.SBX.TG, Analysis Score = 0, sha256 =051e82ce8f7abe68d41472c1c94b623d9e07de61a4f8b3215d95eeea839d0d88, upload_action =Recommended to send the file for analysis, Suspected Malware Categories = None
Message 9815023 scanned by Advanced Malware Protection engine. Final verdict: MALICIOUS
Message 9815023 contains attachment 'à¦•à§‹à¦°à§à¦Ÿ à¦ªà¦¿à¦Ÿà¦¿à¦¶à¦¨à¦¨􀎵too_long_name~0 .gz' (SHA256051e82ce8f7abe68d41472c1c94b623d9e07de61a4f8b3215d95eeea839d0d88).
Message 9815023 attachment 'à¦•à§‹à¦°à§à¦Ÿ à¦ªà¦¿à¦Ÿà¦¿à¦¶à¦¨ à¦¨􀎵too_long_name~0.gz' archive contents unpacked for processing.
Message 9815023 attachment 'notice - info.pdf.exe' contains file 'notice -info.pdf.exe' (SHA256582008dd259d6c5d7e19ebf31e0501b0b910f16d5e1750877e62babb2c2dc161). Verdict:malicious.
Message 9815023 attachment 'à¦•à§‹à¦°à§à¦Ÿ à¦ªà¦¿à¦Ÿà¦¿à¦¶à¦¨ à¦¨􀎵too_long_name~0.gz' scanned by Advanced Malware Protection engine. File Disposition: Malicious, Spyname:W32.582008DD25-95.SBX.TG

Dustin Anderson · ‎09-11-2023

If the file is known to TG, it will not upload it for analysis as it already has a verdict of malicious. The way it works is any file type you have set to upload for checking, it will check the file hash to see if it is already known. If it is not known, it will upload for scanning.

TG is not 100%, we have had issues with HTML files being marked OK when they were malicious. We have a rule that strips attachment types that have no business use in emails. exe, bat etc.