Firepower File Dynamic Analysis

dm2020 · ‎12-14-2018

Hi All,

Can anyone please confirm if Dynamic Analysis with either Block Malware or Malware Cloud Lookup sends the full file to the AMP cloud or only the SHA value? If it sends the full file, does the AMP cloud delete the file after analysis? Are there generally any concerns with sending full file to AMP for analysis? I have a customer that has queried this and is concerned about sensitive files from being sent out of the network

Thank you

Sheraz.Salim · ‎12-14-2018

SHA value goes to SPERO, ETHOS engine

Spero Analysis for MSEXE

Dynamic Analysis: This option sends files that match the rule to the "sandbox" for further analysis. This produces a file threat score and a file report (usually within 20 minutes).

Reset Connection

Store Files (By Disposition) Malware, Unknown, Clean, or Custom

Malware Cloud Lookup: Allows you to log the malware disposition of files that are traversing your network based on a cloud lookup, while still allowing their transmission

Block Malware: Allows you to calculate the SHA-256 hash value of specific file types, then use a cloud lookup process to first determine if files that are traversing your network contain malware, and then block files that represent threats

please do not forget to rate.

dm2020 · ‎12-14-2018

Hi

Thanks for the response. What happens if the file/SHA value is unknown, is the complete file then sent to the sand box for further analysis?

Sheraz.Salim · ‎12-14-2018

see the attachment.

after reading the document it seem it send whole file for sand boxing.

please do not forget to rate.

Marvin Rhoads · ‎12-16-2018

For customers with a high degree of sensitivity you can run AMP Private Cloud and ThreatGrid all on-premises. In that scenario no customer file ever leaves the environment.