You upload a file named isitbad.zip to AMP for analysis. While reviewing the AMP logs, you receive the following output:
Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =
‘isitbad.zip’, MID = 852, File Size = 174401 bytes, File Type = application/zipWed
Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cloud.
File Name = ‘isitbad.zip’, MID = 852, Disposition = unscannable,
Malware = None, Reputation Score = 0, sha256 =
78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1
Which of the following is true? (Select the best answer.)
- The file was uploaded to the cloud and determined to be clean.
- The file was not uploaded to the cloud, and its disposition is unknown.
- The file was uploaded to the cloud, but its disposition is unknown.
- The file was uploaded to the cloud and was determined to be malware.
- The file was not uploaded to the cloud but was determined to be clean.
- The file was not uploaded to the cloud but was determined to be malware.
The file named isitbad.zip was not uploaded to Advanced Malware Protection (AMP) for analysis, and its disposition is unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation score.
The AMP log output in this scenario indicates that the file named isitbad.zip has been determined to be 174,401 bytes and is a ZIP application file. The file was not uploaded to the cloud service, which is indicated by the value of the Disposition field, which is unscannable. If the file had been uploaded, the upload_action field would contain the same value, which is 1, and the Disposition field would contain a phrase that indicates that the file was either unknown, or malicious. If the file that is being analyzed is already known to the file reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the cloud.