Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1483
Views
0
Helpful
4
Replies

Cisco AMP Disposition

Go to solution
tobbyf
Level 1
Level 1

‎12-12-2022 04:51 AM

Hi everyone,

Cisco AMP found different malicious files, I saw 2 different dispositions on Cisco AMP:

Disposition: Malicious

Disposition: Blocklisted

Both files quarantined but can someone explain what is the difference between blocklisted and malicious disposition ?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to tobbyf

‎12-12-2022 06:07 AM

Hello @tobbyf ,
when reviewing detection information using the SecureX Pivot Menu, the Ribbon or Threat Response, you always see the dates when a disposition was set and, if applicable, how long this disposition will be active.
Your question cannot be answered in a single statement.

  • If a file is malicious, it will always be malicious.
  • If there is an IP shown malicious, this IP might not be malicious in the future.
  • The Cisco Security Architecture is generating relations between artifacts, observables and behaviour. This is something we outline we this decision has been made. 
  • So finally different Cisco Intelligences might have different information about an observable.

Greetings, Thorsten

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Troja007
Cisco Employee
Cisco Employee

‎12-12-2022 05:15 AM

Hello @tobbyf ,
I assume someone added the SHA256 to an Application Blocklist?

  • Disposition Malicous: comes from a Cisco Source. You can review the Device Trajectory for Details which engine finally detected or if it was a cloud detection.
  • Blocklisted: Indicates that the File has been added to a blocklist.

Greetings, Thorsten

0 Helpful

Go to solution
tobbyf
Level 1
Level 1
In response to Troja007

‎12-12-2022 05:27 AM

Yes, thank you very much. Also I have one more question.

"For malware detected in network traffic, dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean."

I can only see current disposition of the file on SIEM. If a file's disposition is clean now, should I consider it has no risk or it is still risky because maybe it has been "malware" in the past?

0 Helpful

Go to solution
Troja007
Cisco Employee
Cisco Employee
In response to tobbyf

‎12-12-2022 06:07 AM

Hello @tobbyf ,
when reviewing detection information using the SecureX Pivot Menu, the Ribbon or Threat Response, you always see the dates when a disposition was set and, if applicable, how long this disposition will be active.
Your question cannot be answered in a single statement.

  • If a file is malicious, it will always be malicious.
  • If there is an IP shown malicious, this IP might not be malicious in the future.
  • The Cisco Security Architecture is generating relations between artifacts, observables and behaviour. This is something we outline we this decision has been made. 
  • So finally different Cisco Intelligences might have different information about an observable.

Greetings, Thorsten

0 Helpful

Go to solution
tobbyf
Level 1
Level 1
In response to Troja007

‎12-12-2022 07:38 AM

Thank you so much @Troja007 

0 Helpful
Customers Also Viewed These Support Documents