Home > Malware Protection & AMP

Malware Protection & AMP

September 4th, 2020 Go to comments

Question 1

Question 2

Explanation

Spero analysis examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud. Based on the Spero signature, the Spero engine determines whether the file is malware.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Reference_a_wrapper_Chapter_topic_here.html

-> Spero analysis only uploads the signature of the (executable) files to the AMP cloud. It does not upload the whole file. Dynamic analysis sends files to AMP ThreatGrid.

Dynamic Analysis submits (the whole) files to Cisco Threat Grid (formerly AMP Threat Grid). Cisco Threat Grid runs the file in a sandbox environment, analyzes the file’s behavior to determine whether the file is malicious, and returns a threat score that indicates the likelihood that a file contains malware. From the threat score, you can view a dynamic analysis summary report with the reasons for the assigned threat score. You can also look in Cisco Threat Grid to view detailed reports for files that your organization submitted, as well as scrubbed reports with limited data for files that your organization did not submit.

Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and other types of files for the most common types of malware, using a detection rule set provided by the Cisco Talos Security Intelligence and Research Group (Talos). Because local analysis does not query the AMP cloud, and does not run the file, local malware analysis saves time and system resources. -> Malware analysis does not upload files to anywhere, it only checks the files locally.

There is no sandbox analysis feature, it is just a method of dynamic analysis that runs suspicious files in a virtual machine.

Question 3

Question 4

Question 5

Question 6

Question 7

Explanation

Advanced Malware Protection (AMP) for Endpoints (now is Secure Endpoint) offers a variety of lists, referred to as Outbreak Control, that allow you to customize it to your needs. The main lists are: Simple Custom Detections, Blocked Applications, Allowed Applications, Advanced Custom Detections, and IP Blocked and Allowed Lists.

A Simple Custom Detection list is similar to a blocked list. These are files that you want to detect and quarantine.

Allowed applications lists are for files you never want to convict. Some examples are a custom application that is detected by a generic engine or a standard image that you use throughout the company

Reference: https://docs.amp.cisco.com/AMP%20for%20Endpoints%20User%20Guide.pdf

Question 8

Comments (5) Comments
  1. Chinkoro
    October 8th, 2020

    Why is Q5 answer not B?

  2. Chinkoro
    October 8th, 2020

    On further reading, Q5 answer C looks right

  3. Omar
    May 4th, 2023

    Q8
    I think the answer is B

  4. keymson
    June 15th, 2023

    Q1 should read
    What is a valid Cisco AMP file disposition?

  5. Ant
    August 3rd, 2023

    I think Answer for Q8 = B

Add a Comment