12-12-2022 04:51 AM
Hi everyone,
Cisco AMP found different malicious files, I saw 2 different dispositions on Cisco AMP:
Disposition: Malicious
Disposition: Blocklisted
Both files quarantined but can someone explain what is the difference between blocklisted and malicious disposition ?
Thanks
Solved! Go to Solution.
12-12-2022 06:07 AM
Hello @tobbyf ,
when reviewing detection information using the SecureX Pivot Menu, the Ribbon or Threat Response, you always see the dates when a disposition was set and, if applicable, how long this disposition will be active.
Your question cannot be answered in a single statement.
Greetings, Thorsten
12-12-2022 05:15 AM
Hello @tobbyf ,
I assume someone added the SHA256 to an Application Blocklist?
Greetings, Thorsten
12-12-2022 05:27 AM
Yes, thank you very much. Also I have one more question.
"For malware detected in network traffic, dispositions can change. For example, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean."
I can only see current disposition of the file on SIEM. If a file's disposition is clean now, should I consider it has no risk or it is still risky because maybe it has been "malware" in the past?
12-12-2022 06:07 AM
Hello @tobbyf ,
when reviewing detection information using the SecureX Pivot Menu, the Ribbon or Threat Response, you always see the dates when a disposition was set and, if applicable, how long this disposition will be active.
Your question cannot be answered in a single statement.
Greetings, Thorsten
12-12-2022 07:38 AM
Thank you so much @Troja007
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide