Hello Evan,

evan.chadwick1 · ‎07-18-2016

when you choose to 'block malware', what does the product do for files that can't

1/ be acted on for local analysis

2/ be sent to the cloud for dynamic/spero anlysis

Ie every other file other than 9 highlighed in the above categories

Jetsy Mathew · ‎07-18-2016

Hello Evan,

Please refer the following two links for the best understanding of file dispositions.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.html

Feel free to let me know if you have any questions.

Rate if post helps you

Regards

Jetsy

evan.chadwick1 · ‎07-24-2016

Hi, thanks for posting the links, its a good reminder to have a re read.
Perhaps if you could define what Cisco refers to as 'dynamic' it would be helpful.

When creating a File Rule Cisco prepopulates a 'dynamic' list of 4 files.

These contain MSEXE, MSOLE2, NEW_OFFICE and PDF. So if these are the only files that can be dynamic it leads me to think I don't understand what Cisco means as dynamic.

When I read this:

Note that you must configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.

Is the calculation of a SHA value not dynamic?

Jetsy Mathew · ‎07-26-2016

Hello Evan,

If you configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.It will query to check the sha value.

Rate if the post helps you

Regards

Jetsy

kwalcott · ‎07-26-2016

Hello Evan,

I think you are referring to the list of files populated when you select "Dynamic Analysis Capable" as the file type in a File policy rule.

These files types: MSEXE, MSOLE2, NEW_OFFICE and PDF are the file types that can be successfully submitted to the cloud for Dynamic Analysis.

These file types can be submitted to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance for dynamic analysis.

The Threat Grid cloud runs the sample through a sandbox environment and evaluates behavioral indicators to determine the Threat Score of a sample. A high enough Threat Score will result in the sample's SHA-256 hash returning a Malicious disposition.

The Threat Score and Analysis Report of the sandbox run is available after successful submission and analysis.

Let me know if i have understood the question and if this is the answer that you were looking for.

evan.chadwick1 · ‎07-26-2016

thanks, was confused as I feel that sending SHA's, which is separate to threat grid, is also a dynamic action.

from what I understand about file being sent, there should not be double ups being sent. Is it normal when a file is labelled as unknown for it to be constantly resent 100's of times?

For example a semantic secars.dll file.

Abha Jha · ‎04-06-2017

Hello Evan,

Static and dynamic malware analysis:
A highly secure sandboxing environment helps you run, analyze, and test malware in order to discover previously unknown zero-day threats. Integration of Threat Grid’s sandboxing and static and dynamic malware analysis technology into AMP solutions results in a more comprehensive analysis checked against a larger set of behavioral indicator.

File policy rule question