Solved: Re: Quarantine Unknown Files Until AMP Reaches a Verdict

anotthak8 · ‎04-19-2016

Is it possible to quarantine an unknown file until AMP reaches a verdict. I currently have the incoming mail policy for AMP to quarantine messages that are pending file analysis. In the file analysis quarantine, I have the default action to retain for 15 minutes then release. I set it to 15 minutes because AMP reaches a verdict within 7-15 minutes. However, this does not appear to be working. Any help or insight would be greatly appreciated.

Thank you!

Robert Sherwin · ‎04-19-2016

Which version of AsyncOS is running on your ESA? Is this using cloud for File Analysis, or do you have an on-prem ThreatGRID appliance?

What do the AMP logs show for SHA results? After file is uploaded, you should see a verdict returned:

Fri Mar 18 14:38:48 2016 Info: File Analysis is running for SHA:368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a

Fri Mar 18 14:43:51 2016 Info: File Analysis complete. SHA256: 368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a, Submit Timestamp: 1458325931, Update Timestamp: 1458326631, Disposition: 1 Score: 0, run_id: 139816787 Details: Analysis is completed for the File SHA256[368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a] Spyname:[None]

You can increase the quarantine time for File Analysis for as long as you would feel fit. Retrospective verdicts will be delivered after a file has been released for administration notification.

If you feel there is an issue with the actual service for the File Analysis aspect, it would be in your best interest to open a support case so that we can take a closer look.

-Robert

Cheers,
Robert Sherwin

View solution in original post

Robert Sherwin · ‎04-19-2016

Which version of AsyncOS is running on your ESA? Is this using cloud for File Analysis, or do you have an on-prem ThreatGRID appliance?

What do the AMP logs show for SHA results? After file is uploaded, you should see a verdict returned:

Fri Mar 18 14:38:48 2016 Info: File Analysis is running for SHA:368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a

Fri Mar 18 14:43:51 2016 Info: File Analysis complete. SHA256: 368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a, Submit Timestamp: 1458325931, Update Timestamp: 1458326631, Disposition: 1 Score: 0, run_id: 139816787 Details: Analysis is completed for the File SHA256[368212b7908de1eec210a197b8ac7639f97aaa24d4b6802b62a98f8075219c8a] Spyname:[None]

You can increase the quarantine time for File Analysis for as long as you would feel fit. Retrospective verdicts will be delivered after a file has been released for administration notification.

If you feel there is an issue with the actual service for the File Analysis aspect, it would be in your best interest to open a support case so that we can take a closer look.

-Robert

Cheers,
Robert Sherwin

anotthak8 · ‎04-20-2016

Our ESA is currently running AsyncOS 9.6.

For the SHA results, I do not see "File Analysis is running for". There are two results in the message detail and what I initially get is:

19 Apr 2016 10:24:16 (GMT -08:00)	Message 2524661 contains attachment 'file.doc' (SHA256 c4ada45142b80e8ac6ed605c68de855e8cd88af7205a48bdc137b201668980ee).
19 Apr 2016 10:24:16 (GMT -08:00)	Message 2524661 scanned by Outbreak Filters. Verdict: Negative
19 Apr 2016 10:24:16 (GMT -08:00)	Message 2524661 enqueued for transfer to centralized quarantine File Analysis. Advanced Malware Protection verdict: file unknown.
19 Apr 2016 10:24:16 (GMT -08:00)	Message 2524661 queued for delivery.

The second part (I am assuming this is after it is released from quarantine but I do understand why it is not being released 15 minutes later after I set it to 15 minutes)

19 Apr 2016 10:24:24 (GMT -08:00)	Message 2524664 scanned by Advanced Malware Protection engine. Final verdict: clean
19 Apr 2016 10:24:24 (GMT -08:00)	Message 2524664 contains attachment 'file.doc' (SHA256 c4ada45142b80e8ac6ed605c68de855e8cd88af7205a48bdc137b201668980ee).
19 Apr 2016 10:24:24 (GMT -08:00)	Message 2524664 queued for delivery

Robert Sherwin · ‎04-20-2016

Take your SHA and manually query the AMP logs from CLI.

> grep <SHA> amp

I do not believe that these sub-logging lines are placed in message tracking, and would not be available from the GUI Message Tracking.

Cheers,
Robert Sherwin

Robert Sherwin · ‎04-21-2016

That mail message is being splintered, since you are seeing two separate MID.

Can you validate that you have AMP set to quarantine messages for analysis set for quarantine from Mail Policies > Incoming Mail Policies > Policy Name > Advanced Malware Protection column:

When running grep against a MID from mail_logs, you should see similar for action when AMP quarantines and releases from quarantine:

Thu Apr 21 12:13:21 2016 Info: MID 524207227 SHA f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb filename SKM_454e16042112110.pdf queued for possible file analysis upload
Thu Apr 21 12:13:21 2016 Info: MID 524207227 attachment 'SKM_454e16042112110.pdf'
Thu Apr 21 12:13:21 2016 Info: MID 524207227 Outbreak Filters: verdict negative
Thu Apr 21 12:13:21 2016 Info: MID 524207227 quarantined to "File Analysis" (File Analysis Pending:file unknown)
Thu Apr 21 12:13:21 2016 Info: Message finished MID 524207227 done
Thu Apr 21 12:26:55 2016 Info: MID 524207227 released from quarantine "File Analysis" (File Analysis completed) t=814
Thu Apr 21 12:26:55 2016 Info: MID 524207227 released from all quarantines

The associated SHA when grep issued against amp logs:

Thu Apr 21 12:13:29 2016 Info: File uploaded for analysis. SHA256: f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb
Thu Apr 21 12:21:56 2016 Info: Sandbox status event received for SHA: f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb
Thu Apr 21 12:21:56 2016 Info: File Analysis is running for SHA:f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb
Thu Apr 21 12:26:55 2016 Info: Sandbox status event received for SHA: f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb
Thu Apr 21 12:26:55 2016 Info: File Analysis complete. SHA256: f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb, Submit Timestamp: 1461255209, Update Timestamp: 1461256015, Disposition: 1 Score: 0, run_id: 147457352 Details: Analysis is completed for the File SHA256[f9a1bae8960820c9c0cd6f42f486e1dcdd534c155ac4665d03729ed2659a7aeb] Spyname:[None]

-Robert

Cheers,
Robert Sherwin

anotthak8 · ‎04-21-2016

I have validated that we currently have messages with file analysis pending be quarantined. We have cloud hosted inbound ESAs, therefore I do not have CLI access.

Robert Sherwin · ‎04-25-2016

I would suggest opening a case directly w/ CES/Hosted in order to get a better understanding of what is occurring.

Hosted/RMS Contact information:

ROS internal email: emailsecurity@cisco.com

Hosted/RMS Service Desk:

US Toll Free: 866-616-5139

UK Toll Free: 080-101-1359

International: 512-340-3775

Cheers,
Robert Sherwin

ChiefSec-SF · ‎12-20-2017

Did you end up opening a case? If so, what was the resolution? The comment marked as a solution doesn't seem to answer your original question.