The system determines file dispositions based on the disposition
returned by the AMP cloud. To improve performance, if the system already knows
the disposition for a file based on its SHA-256 value, the
Firepower Management
Center
uses the cached disposition rather than querying the AMP cloud. Based on its
disposition, the system can block the file. If any nested file inside an
archive file is blocked, the system blocks the entire archive file.
A file can have one of the following file dispositions as a
result of addition to a file list, or due to threat score:
-
Malware indicates that the AMP cloud categorized the
file as malware, local malware analysis identified malware, or the file’s
threat score exceeded the malware threshold defined in the file policy.
-
Clean indicates that the AMP cloud categorized the file
as clean, or that a user added the file to the clean list.
-
Unknown indicates that the system queried the AMP
cloud, but the file has not been assigned a disposition; in other words, the
AMP cloud has not categorized the file.
-
Custom Detection indicates that a user added the file
to the custom detection list.
-
Unavailable indicates that the system could not query
the AMP cloud. You may see a small percentage of events with this disposition;
this is expected behavior.
Archive files have dispositions based on the dispositions
assigned to the files inside the archive.
All archives that contain identified malware files receive a
disposition of
Malware. Archives
without identified malware files receive a disposition of
Unknown if they
contain any unknown files, and a disposition of
Clean if they
contain only clean files.
Table 1 Archive File Disposition by Contents
Archive File Disposition
|
Number of Unknown Files
|
Number of Clean Files
|
Number of Malware Files
|
Unknown
|
1 or more
|
Any
|
0
|
Clean
|
0
|
1 or more
|
0
|
Malware
|
Any
|
Any
|
1 or more
|
Archive files, like other files, may have dispositions of
Custom Detection or
Unavailable if the
conditions for those dispositions apply.
 Tip |
If you see several
Unavailable malware events in quick succession, make
sure the
Firepower Management
Center
can contact the AMP cloud.
|
Note that file dispositions can change. For example, the AMP
cloud can determine that a file that was previously thought to be clean is now
identified as malware, or the reverse—that a malware-identified file is
actually clean. When the disposition changes for a file you queried in the last
week, the AMP cloud notifies the system so it can automatically take action the
next time it detects that file being transmitted. A changed disposition is
called a
retrospective disposition.
Dispositions returned from an AMP cloud query, associated threat
scores, and dispositions assigned by local malware analysis, have a
time-to-live (TTL) value. After a disposition has been held for the duration
specified in the TTL value without update, the system purges the cached
information. Dispositions and associated threat scores have the following TTL
values:
-
Clean — 4 hours
-
Unknown — 1 hour
-
Malware — 1 hour
If a query against the cache identifies a cached disposition
that timed out, the system re-queries the AMP cloud for a new disposition.