Troubleshoot False Positive File Analysis in AMP for Endpoints

Available Languages

Download Options

  • PDF     (406.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (384.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (486.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:May 25, 2020
Document ID:215993

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to collect a False Positive file analysis in Advanced Malware Protection (AMP) for Endpoints.

    Contributed by Jesus Javier Martinez, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends you have knowledge of these topics:

    • AMP Console dashboard
    • An account with administrator privileges

    Components Used

    The information in this document is based on Cisco AMP for Endpoints version 6.X.X and up.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

    Background Information

    AMP for Endpoints can generate excessive alerts on a certain file/process/Secure Hash Algorithm (SHA) 256. If you suspect any False Positive detections in your network, you can contact the Cisco Technical Assistance Center (TAC), the Diagnostic Team proceeds to do a deeper file analysis. When you contact Cisco TAC, you need to provide this information:


    • File SHA 256 hash
    • File sample copy
    • Alert Event capture from AMP Console
    • Event Details capture from AMP Console
    • Information about the file  (where it came from and why it needs to be in the environment)
    • Explain why do you believe the file/process can be a false positive

    Troubleshoot False Positive File Analysis in AMP for Endpoints

    This section provides information you can use to get all details needed to open a False Positive ticket with Cisco TAC.

    File SHA 256 Hash

    Step 1. In order to get the SHA 256 hash, navigate to AMP Console > Dashboard > Events.


    Step 2. Select the Alert Event, click on the SHA256 and select Copy as shown in the image.

    File Sample Copy

    Step 1. You can get the file sample from AMP Console, navigate to AMP Console > Dashboard > Events.


    Step 2. Select the Alert Event, click on the SHA256 and navigate to File Fetch> File Fetch as shown in the image.

    Step 3. Select the device where the file was detected and click on Fetch as shown in the image (the device must be turned ON) as shown in the image. 

    Step 4. You receive the messageas shown in the image.

    After some minutes, you receive an email notification when the file is available to download as shown in the image.

    Step 5. Navigate to AMP Console > Analysis > File Repository and select the file and click Download as shown in the image.

    Step 6. Notification box appears, click on Download, as shown in the image, and the file is downloaded on a ZIP file.

    Alert Event Capture from AMP Console

    Step 1. Navigate to AMP Console > Dashboard > Events.


    Step 2. Select the Alert Event and take the capture as shown in the image.

    Event Details Capture from AMP Console

    Step 1. Navigate to AMP Console > Dashboard > Events.


    Step 2. Select the Alert Event and click on Device Trajectory option as shown in the image.

    It redirects to Device Trajectory details as shown in the image.

    Step 3. Take a capture of Event Details box as shown in the image.

    Step 4. If it is necessary, scroll down and take some captures to get all Events Details information as shown in the image.

    Information About the File

    • Information about where the file came from.
    • If the file comes from a website, share the web URL. 
    • Share a little file description and explain the file function.

    Explanation

    • Why do you believe the file process can be a false positive? 
    • Share the reasons you trust in the file.

    Provide Information

    • Once you collect all details, upload all the information requested to https://cway.cisco.com/csc/.
    • Ensure that you reference the Service Request number.

    Conclusion

    Cisco always strives to improve and expand the threat intelligence for  AMP for Endpoints technology, however, if your AMP for Endpoints solution triggers an alert erroneously, you can take some actions in order to prevent any further impact to your environment. This document provides a guideline to get all required details to open a case with Cisco TAC with regards to a False Positive issue. In base on the Diagnostic Team file analysis, the file disposition can change to stop the Alert Events triggered on AMP Console or Cisco TAC can provide the proper fix to let run the file/process without issues in your environment.

    TAC Authored

    Contributed by Cisco Engineers

    • Jesus Javier Martinez
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products