09-08-2023 08:50 AM
Hi all
I find the following message is a message processing details of a Cisco Secure Email Gateway. My query is whether the file "Documents for your perusal.zip" is sent to Cisco Cloud for analysis or Secure Malware Analytics (formerly Threat Grid) according to the flowing message processing details.
File reputation query initiating. File Name = Documents for your perusal.zip, MID = 9841058, File Size = 728066 bytes,
File Type = application/zip
Response received for file reputation query from Cloud. File Name = Documents for your perusal.zip, MID = 9841058,
Disposition = MALICIOUS, Malware = W32.09024911F3-95.SBX.TG, Analysis Score = 0, sha256 =
b89824f26a42f0bad7ecf170e76350e8a7c5f646d4cfb0fd14afd9d438770715, upload_action = Recommended to send
the file for analysis, Suspected Malware Categories = None
File not uploaded for analysis. MID = 9841058 File
SHA256[09024911f3d62ec33136c9bb207b1d74b8f8b613bd6179f5c2097e328e7f80ab] file mime[text/plain] Reason:
The file type is not configured for analysis
Message 9841058 scanned by Advanced Malware Protection engine. Final verdict: MALICIOUS
Message 9841058 contains attachment 'Documents for your perusal.zip' (SHA256
b89824f26a42f0bad7ecf170e76350e8a7c5f646d4cfb0fd14afd9d438770715).
Message 9841058 attachment 'Documents for your perusal.zip' archive contents unpacked for processing.
Message 9841058 attachment 'Documents for your perusal.bat' contains file 'Documents for your perusal.bat' (SHA256
09024911f3d62ec33136c9bb207b1d74b8f8b613bd6179f5c2097e328e7f80ab). Verdict: malicious.
Message 9841058 attachment 'Documents for your perusal.zip' scanned by Advanced Malware Protection engine. File
Disposition: Malicious, Spyname: W32.09024911F3-95.SBX.TG
Message 9841058 aborted: Dropped by amp.
09-08-2023 09:17 AM
09-08-2023 10:00 PM
Thanks for the reply. But I think the following log shows it is getting a verdict from TG or Cisco Cloud for analysis. What do you think?
File reputation query initiating. File Name = কোরà§à¦Ÿ পিটিশননোটিশ - info.pdf .gz, MID = 9815023, File Size = 618152 bytes, File Type =application/x-rar
28 Aug 2023 10:28:07 (GMT +06:00)
Response received for file reputation query from Cloud. File Name = কোরà§à¦Ÿ পিটিশন নোটিশ - info.pdf .gz, MID = 9815023, Disposition = MALICIOUS,
Key:
Last Event
Malware = W32.582008DD25-95.SBX.TG, Analysis Score = 0, sha256 =051e82ce8f7abe68d41472c1c94b623d9e07de61a4f8b3215d95eeea839d0d88, upload_action =Recommended to send the file for analysis, Suspected Malware Categories = None
Message 9815023 scanned by Advanced Malware Protection engine. Final verdict: MALICIOUS
Message 9815023 contains attachment 'কোরà§à¦Ÿ পিটিশননtoo_long_name~0 .gz' (SHA256051e82ce8f7abe68d41472c1c94b623d9e07de61a4f8b3215d95eeea839d0d88).
Message 9815023 attachment 'কোরà§à¦Ÿ পিটিশন নtoo_long_name~0.gz' archive contents unpacked for processing.
Message 9815023 attachment 'notice - info.pdf.exe' contains file 'notice -info.pdf.exe' (SHA256582008dd259d6c5d7e19ebf31e0501b0b910f16d5e1750877e62babb2c2dc161). Verdict:malicious.
Message 9815023 attachment 'কোরà§à¦Ÿ পিটিশন নtoo_long_name~0.gz' scanned by Advanced Malware Protection engine. File Disposition: Malicious, Spyname:W32.582008DD25-95.SBX.TG
09-11-2023 07:06 AM
If the file is known to TG, it will not upload it for analysis as it already has a verdict of malicious. The way it works is any file type you have set to upload for checking, it will check the file hash to see if it is already known. If it is not known, it will upload for scanning.
TG is not 100%, we have had issues with HTML files being marked OK when they were malicious. We have a rule that strips attachment types that have no business use in emails. exe, bat etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide