Re: Malware disposition changes to Unknown randomly

syed.mohsin · ‎12-06-2017

Hi, We have deployed ASA since last few months, everything is working fine, but we have observe that sometimes if a file is declared Malware disposition from Cisco Cloud, it randomly changes to 'unknown' and that malicious file passed on to internal network with action Malware cloud lookup. Due to this abnormal behavior we are receiving multiple malicious file passing from ASA. Snapshot is attached.

FMC Version:6.2.1 (build 342)

ASA Version 9.5

Why Malware disposition changes randomly to Unknown? Is this normal behavior?

Thanks.

David Janulik · ‎12-13-2017

Hi Syed,

to answer your question, we will need the SHA-256 of that file

David

Cyber security escalation engineer

syed.mohsin · ‎12-13-2017

Hi

Check this hash:

SHA 256: a1b9d6fa618ce38eb3554d76868f7259a61be8cd11d4a8a5c9e91eb29ba23a67

Attached is the snapshot:

David Janulik · ‎12-13-2017

This file has been submitted to Threatgrid 12/13/2017 2:12:31 pm. The disposition is done by Synthetic Event Engine that convicts binaries based upon actions of several Indicator of Compromise in a SANDBOX. For further reference over this sample with disposition malicious, see

https://www.talosintelligence.com/amp-naming/

SBX.VIOC- detection engine - Syntetic events

or

if you have access to the threatgrid account hereby the link, which contains the video+report of the IOC actions.

https://panacea.threatgrid.com/mask/#/submission/e5f4ab6d542cb7a2ae9d24349f6296f9

Let me know if you need further info to this

Cyber security escalation engineer

syed.mohsin · ‎12-13-2017

Hi, thanks for the response, but i didnt get it, why disposition changes to unknown at 19:27 when it was already declared malware before?