You upload a file named isitbad.docx to AMP for analysis. While reviewing the AMP logs, you receive the following output:
Wed Feb 17 12:41:05 2015 Info: File reputation query initiating. File Name =
‘isitbad.docx’, MID = 856, File Size = 174401 bytes, File Type = application/msword
Wed Feb 17 12:41:10 2015 Info: Response received for file reputation query from Cache.
File Name = ‘isitbad.docx’, MID = 856, Disposition = file unknown, Malware = None, Reputation Score = 0, sha256 = 78d80f8fb0e6eaa2988d11607ec6a00840147f8188f6db8b7d00d907440d7aaa, upload_action = 1
Which of the following is true? (Select the best answer.)
- The file was uploaded to the cloud and determined to be clean.
- The file was not uploaded to the cloud, and its disposition is unknown.
- The file was uploaded to the cloud, but its disposition is unknown.
- The file was uploaded to the cloud and was determined to be malware.
- The file was not uploaded to the cloud but was determined to be clean.
- The file was not uploaded to the cloud but was determined to be malware.
The file named isitbad.docx was uploaded to Advanced Malware Protection (AMP), but its disposition is unknown. AMP is a feature of the Cisco Email Security Appliance (ESA) that can be used to test a given file against a file reputation service in the cloud. The file reputation service that is used by AMP attempts to authenticate a Secure Hash Algorithm 256 (SHA256) hash for the file that is being uploaded against the file reputation database. The service also rates the data fidelity of the uploaded file by assigning it a reputation score.
The AMP log output in this scenario indicates that the file named isitbad.docx has been determined to be 174,401 bytes and is a Microsoft Word file. The file was successfully uploaded to the cloud service, which is indicated by both the value of the upload_actionfield, which is 1, and the value of the Disposition field, which is file unknown. If the file had not been uploaded, either the upload_action field would contain a different value, such as 2, or the Disposition field would contain an error phrase that indicates that the file could not be uploaded for a scan, such as unscannable. If the file that is being analyzed is already known to the file reputation service, the upload_action field will contain a value of either 0 or 2 and will not be uploaded to the cloud.