cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3229
Views
0
Helpful
2
Replies

Doubt with AMP dynamic analysis

Ariel0092
Beginner
Beginner

HI everyone i have a doubt with the action of dynamic analysis on the FMC, i have read and hear some folks who says that the files(for example a .exe) are never send to the cloud, only a hash sha256, and from my undertstanding this is what the spero engine does, but with the dynamic analysis the documentation stays that the file with a disposition of unknown is submitted to threat grid a.k.a. sandboxing for analysis, so my question/doubt is if a user downloads a file .exe with unknown disposition does the firepower send the entire file for sandboxing or sends a sha256?

 

Hope you can understand my question and clarify me this concepts .

Thanks and Best regards!

1 Accepted Solution

Accepted Solutions

yogdhanu
Cisco Employee
Cisco Employee

Hi

 

Dynamic analysis or sandboxing for unknown file does require full file to be submitted which is done on FMC.

But for known files only SHA query is done and Threatgrid would reply back with threat score and AMP cloud would let know the disposition like malicious, clean or unknown.

 

Hope it helps,

Yogesh

View solution in original post

2 Replies 2

yogdhanu
Cisco Employee
Cisco Employee

Hi

 

Dynamic analysis or sandboxing for unknown file does require full file to be submitted which is done on FMC.

But for known files only SHA query is done and Threatgrid would reply back with threat score and AMP cloud would let know the disposition like malicious, clean or unknown.

 

Hope it helps,

Yogesh

Thank you so much yogdhanu for clarify my doubt!!

 

Best regards!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: