Why does my malware status change from blocked to cloud lookup?

YANSINGLI61114 · ‎12-12-2021

I use FMC Malware Policy but I have found from Network File Trajectory time 2021-12-10 07:26:11 is malware block, but in 2021-12-10 07:26:13 change to cloud lookup.

My FMC Malware Policy is what happened??

截圖 2021-12-12 下午8.08.06.png 截圖 2021-12-12 下午8.08.29.png

I search File Event show message : Retrospective Event, Fri Dec 10 01:12:19 2021(UTC), Old Disp: Neutral, New Disp:Malware, Threat Name:W32.FECA1C7AFE-100.SBX.TG;

I don’t understand the meaning of this message?

截圖 2021-12-12 下午7.55.02.png

This is my Malware policy settings.

I settings two policy, the one is block Malware select all file type and the one policy Malware Cloud Lookup and select all file type.

截圖 2021-12-12 下午8.29.24.png

nspasov · ‎12-13-2021

It is hard to say as more info will be required. It is possible that the cached disposition for the particular file timed out and a new cloud lookup took place. I say this as I see, in your screenshot (on the top left), that the current disposition for this files is "unknown" Did you start seeing blocks after the cloud lookup?

Thank you for rating helpful posts!

Thank you for rating helpful posts!

YANSINGLI61114 · ‎12-19-2021

I saw the cloud lookup after blocking.

Blocking occurs at 11 seconds, and cloud search occurs at 13 seconds.