Malware Protection & AMP
Question 1
Question 2
Explanation
Spero analysis examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud. Based on the Spero signature, the Spero engine determines whether the file is malware.
-> Spero analysis only uploads the signature of the (executable) files to the AMP cloud. It does not upload the whole file. Dynamic analysis sends files to AMP ThreatGrid.
Dynamic Analysis submits (the whole) files to Cisco Threat Grid (formerly AMP Threat Grid). Cisco Threat Grid runs the file in a sandbox environment, analyzes the file’s behavior to determine whether the file is malicious, and returns a threat score that indicates the likelihood that a file contains malware. From the threat score, you can view a dynamic analysis summary report with the reasons for the assigned threat score. You can also look in Cisco Threat Grid to view detailed reports for files that your organization submitted, as well as scrubbed reports with limited data for files that your organization did not submit.
Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and other types of files for the most common types of malware, using a detection rule set provided by the Cisco Talos Security Intelligence and Research Group (Talos). Because local analysis does not query the AMP cloud, and does not run the file, local malware analysis saves time and system resources. -> Malware analysis does not upload files to anywhere, it only checks the files locally.
There is no sandbox analysis feature, it is just a method of dynamic analysis that runs suspicious files in a virtual machine.
Question 3
Question 4
Question 5
Question 6
Question 7
Explanation
Advanced Malware Protection (AMP) for Endpoints (now is Secure Endpoint) offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.
A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and quarantine.
Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company
Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf
Question 8
Why is Q5 answer not B?
On further reading, Q5 answer C looks right
Q8
I think the answer is B
Q1 should read
What is a valid Cisco AMP file disposition?
I think Answer for Q8 = B
Cisco Advanced Malware Protection (AMP), a file’s disposition refers to its categorization from the AMP cloud, which determines the actions taken when the file is downloaded. There are three possible dispositions:
Clean: This means the file is known to be safe and poses no threat.
Malicious: The file is known to be harmful and should be blocked.
Unknown: When there is insufficient data to classify the file as either clean or malicious.
What are you trying to say in #1 ?
A file’s disposition is a categorization from the AMP cloud that determines what actions are taken on the file download.
There are three file dispositions:
Clean – The file is known to be good.
Malicious – The file is known to be harmful.
Unknown – There is insufficient data to classify the file as clean or malicious