Overview of Advanced Malware Protection
The Cisco Advanced Malware Protection is composed of three processes:
-
File Reputation: The process of using a 256-bit Secure Hash Algorithm (SHA256) signature to compare the file against the Advanced Malware Protection (AMP) cloud server and access its threat intelligence information. The response can be Clean, Unknown, or Malicious. If the response is Unknown, and if File Analysis is configured, the file is automatically submitted for further analysis.
Note
The maximum file size that will be inspected by AMP is 10 MB.
Note
File Reputation supports the following file types: ACCDB, ALZ, AMF, AMR, ARJ, ASF, AUTORUN, BINARY_DATA, BINHEX, BMP, BZ, CPIO_CRC, CPIO_NEWC, CPIO_ODC, DICM, DMG, DMP, EGG, EICAR, ELF, EPS, FFMPEG, FLAC, FLIC, FLV, GIF, GZ, HLP, HWP, ICO, IMG_PCT, ISHIELD_MSI, ISO, IVR, JAR, JARPACK, JPEG, LHA, M3U, MACHO, MAIL, MAYA, MDB, MDI, MIDI, MKV, MNY, MOV, MP3, MP4, MPEG, MSCAB, MSCHM, MSOLE2, MSWORD_MAC5, MSZDD, MWL, NEW_OFFICE, NTHIVE, OGG, OLD_TAR, ONE, PCAP, PDF, PGD, PLS, PNG, POSIX_TAR, PSD, PST, RA, RAR, REC, REG, RIFF, RIFX, RIM, RMF, RPM, RTF, S3M, SAMI, SCRENC, SIS, SIT, SMIL, SWF, SYLKc, SYMANTEC, TIFF, TNEF, TORRENT, UUENCODED, VMDK, WAV, WEBM, WMF, WP, WRI, XLW, XPS, ZIP, ZIP_ENC, 7Z, 9XHIVE.
-
File Analysis: The process of submitting an Unknown file to the Threat Grid (TG) cloud for detonation in a sandbox environment. During detonation, the sandbox captures artifacts and observes behaviors of the file, then gives the file an overall score. Based on the observations and score, Threat Grid may change the threat response to Clean or Malicious. Threat Grid’s findings are reported back to the AMP cloud, so that all AMP customers will be protected against newly discovered malware. File Analysis supports a maximum file size of 10MB.
Note
File analysis requires a separate Threat Grid account. For information about purchasing a Threat Grid account, contact your Cisco representative.
-
Retrospective: By maintaining information about files even after they are downloaded, we can report on files that were determined to be malicious after they were downloaded. The disposition of the files could change based on the new threat intelligence gained by the AMP cloud. This re-classification will generate automatic retrospective notifications.