Sorry: I posted this message in the wrong thread. I tried to move it to Firepower or to delete it but I can't. Sorry ISE people.
When a managed device performs Local Malware Analysis on a file, it caches the verdict for x hours. Example: if file is detected as Malware, disposition is changed from Unknown to Malware and the verdict is cached for 1hr by default. If file is detected as Clean, disposition stays Unknown and the result is cached also for 1hr (according to User Guide v6.5: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/file_policies_and_advanced_malware_protection.html)
Would the FTD share with the FMC the Local Malware Analysis result? The User Guide doesn't mention if the FMC would hear the verdict of from an analysis performed locally on a FTD, thus caching that information and having it in case other FTDs query about the same hash.
Solved! Go to Solution.