You upload a file named isitbad.docx to AMP for analysis. While reviewing the AMP logs, you receive the
following output:
Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =
‘isitbad.docx’, MID = 856, File Size = 174401 bytes, File Type = application/msword
Wed Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cache.
File Name = ‘isitbad.docx’, MID = 856, Disposition = file unknown, Malware = None, Reputation Score = 0,
sha256 = 78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1
Which of the following is true? (Select the best answer.)
A.
The file was uploaded to the cloud and determined to be clean.
B.
The file was not uploaded to the cloud, and its disposition is unknown.
C.
The file was uploaded to the cloud, but its disposition is unknown.
D.
The file was uploaded to the cloud and was determined to be malware.
E.
The file was not uploaded to the cloud but was determined to be clean.
F.
The file was not uploaded to the cloud but was determined to be malware.
Explanation:
The file named isitbad.docx was uploaded to Advanced Malware Protection (AMP), but its disposition is
unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file
against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to
authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file
reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation
score.
The AMP log output in this scenario indicates that the file named isitbad.docx has been determined to be
174,401 bytes and is a Microsoft Word file. The file was successfully uploaded to the cloud service, which is
indicated by both the value of the upload_actionfield, which is 1, and the value of the Disposition field, which is
file unknown. If the file had not been uploaded, either the upload_action field would contain a different value,
such as 2, or the Disposition field would contain an error phrase that indicates that the file could not be
uploaded for a scan, such as unscannable. If the file that is being analyzed is already known to the file
reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the
cloud.Cisco: ESA File Analysis Through AMP Verification Procedures: File Uploaded for AnalysisCisco: Blocking
Malware and Prohibited Files: Understanding Malware Protection and File Control