07-18-2016 09:39 PM - edited 02-20-2020 09:01 PM
when you choose to 'block malware', what does the product do for files that can't
1/ be acted on for local analysis
2/ be sent to the cloud for dynamic/spero anlysis
Ie every other file other than 9 highlighed in the above categories
07-18-2016 10:35 PM
Hello Evan,
Please refer the following two links for the best understanding of file dispositions.
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.html
Feel free to let me know if you have any questions.
Rate if post helps you
Regards
Jetsy
07-24-2016 05:10 PM
Hi, thanks for posting the links, its a good reminder to have a re read.
Perhaps if you could define what Cisco refers to as 'dynamic' it would be helpful.
When creating a File Rule Cisco prepopulates a 'dynamic' list of 4 files.
These contain MSEXE, MSOLE2, NEW_OFFICE and PDF. So if these are the only files that can be dynamic it leads me to think I don't understand what Cisco means as dynamic.
When I read this:
Note that you must configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.
Is the calculation of a SHA value not dynamic?
07-26-2016 07:13 AM
Hello Evan,
If you configure a rule in the file policy with either a Malware Cloud Lookup or Block Malware action and a matching file type to calculate a file’s SHA value.It will query to check the sha value.
Rate if the post helps you
Regards
Jetsy
07-26-2016 04:35 PM
Hello Evan,
I think you are referring to the list of files populated when you select "Dynamic Analysis Capable" as the file type in a File policy rule.
These files types: MSEXE, MSOLE2, NEW_OFFICE and PDF are the file types that can be successfully submitted to the cloud for Dynamic Analysis.
These file types can be submitted to the AMP Threat Grid cloud or an on-premises AMP Threat Grid appliance for dynamic analysis.
The Threat Grid cloud runs the sample through a sandbox environment and evaluates behavioral indicators to determine the Threat Score of a sample. A high enough Threat Score will result in the sample's SHA-256 hash returning a Malicious disposition.
The Threat Score and Analysis Report of the sandbox run is available after successful submission and analysis.
Let me know if i have understood the question and if this is the answer that you were looking for.
07-26-2016 07:20 PM
thanks, was confused as I feel that sending SHA's, which is separate to threat grid, is also a dynamic action.
from what I understand about file being sent, there should not be double ups being sent. Is it normal when a file is labelled as unknown for it to be constantly resent 100's of times?
For example a semantic secars.dll file.
04-06-2017 07:15 AM
Hello Evan,
Static and dynamic malware analysis:
A highly secure sandboxing environment helps you run, analyze, and test malware in order to discover previously unknown zero-day threats. Integration of Threat Grid’s sandboxing and static and dynamic malware analysis technology into AMP solutions results in a more comprehensive analysis checked against a larger set of behavioral indicator.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide