Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2181
Views
0
Helpful
3
Replies

What happens to the file while dynamic analyis is being performed?

Go to solution
muthumohan
Level 1
Level 1

‎12-07-2021 09:16 AM

In FTD, while the file is being analyzed in the sandbox by ThreatGrid, when happens to file in transit?

Please let me know if this is correct:

If the file policy rule action is "Malware Cloud Lookup", I believe the file is sent to the end user and a malware event will be generated once the threat-score comes from TG and the file is determined to be a malware.

 

My real question is, if the file policy rule action is "Malware Block", what does the end user see, while the file is being analyzed by Threatgrid? Does he get 99% of the file and wait for the last 1% till TG sends back the threat-score?

I believe TG can take more than 15 minutes to complete the analysis. Does this mean the client will have to hold the TCP connection, say FTP, open till the threat-score comes back from TG? What is the deal here?

Thanks and appreciate any help. No where in Cisco documentation explain this part.

Thanks

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-09-2021 08:58 AM

Block Malware will only occur if the file disposition of the SHA256 (From local cache or AMP) is malicious. If the file is unknown then it will be send to ThreatGrid for analysis. While the analysis is taking place, the file is allowed through the firewall and is not held "hostage" If analysis determines that the unknown file is malicious, then a retrospective event will be triggered for this file. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

0 Helpful

Go to solution
muthumohan
Level 1
Level 1
In response to nspasov

‎12-24-2021 09:22 PM

Thank you for your reply. I was thinking the same, but could not confirm as no Cisco document clearly says this.

Appreciate it.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎12-09-2021 08:58 AM

Block Malware will only occur if the file disposition of the SHA256 (From local cache or AMP) is malicious. If the file is unknown then it will be send to ThreatGrid for analysis. While the analysis is taking place, the file is allowed through the firewall and is not held "hostage" If analysis determines that the unknown file is malicious, then a retrospective event will be triggered for this file. 

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

Go to solution
muthumohan
Level 1
Level 1
In response to nspasov

‎12-24-2021 09:22 PM

Thank you for your reply. I was thinking the same, but could not confirm as no Cisco document clearly says this.

Appreciate it.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-04-2022 11:44 AM

My pleasure! I have submitted an enhancement with the documentation team to update our documentation. Now, if you your question has been answered, please mark the thread as resolved

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card