File Reputation and File Analysis Report Pages

Report

Description

Advanced Malware Protection

Shows file-based threats that were identified by the file reputation service.

For files with changed verdicts, see the AMP Verdict updates report. Those verdicts are not reflected in the Advanced Malware Protection report.

If a file extracted from a compressed or archived file is malicious, only the SHA value of the compressed or archived file is included in the Advanced Malware Protection report.

Note
From AsyncOS 9.6.5 onwards, Advanced Malware Protection report has been enhanced to display additional fields, graphs, and so on. The report displayed after the upgrade does not include the reporting data prior to the upgrade. To view the Advanced Malware Protection report prior to AsyncOS 9.6.5 upgrade, click on the hyperlink at the bottom of the page.

The Incoming Malware Files by Category section shows the following:

  • The percentage of blocked listed file SHAs received from the AMP reputation server that are categorized as Malware.

  • The percentage of blocked listed file SHAs received from the AMP for Endpoints console that are categorised as Custom Detection.

    The threat name of a blocked listed file SHA obtained from AMP for Endpoints console is displayed as Simple Custom Detection in the Incoming Malware Threat Files section of the report.

  • The percentage of blocked listed file SHAs received from the AMP for Endpoints console that are categorised as Custom Threshold.

You can click on the link in the More Details section of the report to view the file trajectory details of a blocked listed file SHA in the AMP for Endpoints console

You can view the Low Risk verdict details in the Incoming Files Handed by AMP section of the report.

Advanced Malware Protection File Analysis

Displays the time and verdict (or interim verdict) for each file sent for analysis. The appliance checks for analysis results every 30 minutes.

To view more than 1000 File Analysis results, export the data as a .csv file.

For deployments with an on-premises Cisco AMP Threat Grid Appliance: Files that are included in the allowed lists on the AMP Threat Grid appliance show as "clean." For information about allowed list, see the AMP Threat Grid documentation or online help.

Drill down to view detailed analysis results, including the threat characteristics for each file.

You can also search for additional information about an SHA, or click the link at the bottom of the file analysis details page to view additional details on the server that analyzed the file.

To view details on the server that analyzed a file, see Requirements for File Analysis Report Details.

If a file extracted from a compressed or archived file is sent for analysis, only the SHA value of the extracted file is included in the File Analysis report.

Note
From AsyncOS 9.6.5 onwards, File Analysis report has been enhanced to display additional fields, graphs, and so on. The report displayed after the upgrade does not include the reporting data prior to the upgrade. To view the File Analysis report prior to AsyncOS 9.6.5 upgrade, click on the hyperlink at the bottom of the page.

Advanced Malware Protection Verdict Updates

Because Advanced Malware Protection is focused on targeted and zero-day threats, threat verdicts can change as aggregated data provides more information.

The AMP Verdict Updates report lists the files processed by this appliance for which the verdict has changed since the message was received. For more information about this situation, see the documentation for your Email Security appliance.

To view more than 1000 verdict updates, export the data as a .csv file.

In the case of multiple verdict changes for a single SHA-256, this report shows only the latest verdict, not the verdict history.

To view all affected messages for a particular SHA-256 within the maximum available time range (regardless of the time range selected for the report) click a SHA-256 link.