A Cisco ESA network administrator has been tasked to use a newly installed service to help create policy based on the reputation verdict. During testing, it is discovered that the Cisco ESA is not dropping files that have an undetermined verdict. What is causing this issue?
The issue is that the Cisco ESA is not dropping files that have an undetermined verdict. This implies that the action for files with undetermined reputations depends on their reputation score. If the file has a reputation score that is above the threshold, it means it is considered safe or not dangerous enough to be dropped. Therefore, the correct answer is that the file has a reputation score that is above the threshold.
I found B a possibility Quarantine is only for unrecognised files. When file is undetermined, reputation score is checked. Reputation 1-59: Deliver file / Reputation 60-100: Block file So B looks correct. Look at - Figure 1. Advanced Malware Protection Workflow for Public-Cloud File Analysis Deployments https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010000.html
I am sure it is D. The policy was created to disable file analysis. When the reputation is not clear = undetermined, the file should be send for file analysis. It is not happening, so the file is not dropped.
Answer B guys, please refer to the Figure 1. Advanced Malware Protection Workflow for Public-Cloud File Analysis Deployments The undetermined verdict with score 1- 59 will delivery the file to user The undetermined verdict with score 60- 100 will block the file So answer C, the reputation score is above the threshold is correct ! https://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/415001-416000/415734.tif/_jcr_content/renditions/415734.jpg
Sorry for the typo, answer is C
Sorry, typo again, final the answer is B Confirmed! the old version of the doc shown below https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010001.html
Should be this one: https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide_14-0/b_ESA_Admin_Guide_ces_14-0/b_ESA_Admin_Guide_12_1_chapter_010001.html
Pay attention to "undetermined verdict" (not "unrecognized file"). Policy can not disable File Analysis service (so D can not be the correct answer), but it can send messages with unknown attachments to quarantine while file analysis is performed. After undetermined verdict for known file, reputation score is calculated, and if bellow threshold (60), message is sent to the recipient (B - correct answer). If file analysis service is enabled (you can not disable file analysis in the policy) and the file is defined as unrecognized (unknown), at the same time policy is set to send unrecognized files to quarantine during file analysis, then potentially this file could be defined as malicious (after sand-boxing) and for that reason not delivered to the recipient.
it is the reputation of the file that is being inspected, for an indeterminate verdict a score is set from 0 to 100 - C, its correct. https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide/b_ESA_Admin_Guide_ces_11_0/b_ESA_Admin_Guide_chapter_010000.pdf
The correct answer is B (it took me long to understand that) There is a difference between "Undetermined" (from the question), and "Unrecognized". Undetermined - It checks the file score (Which is in the question - Right answer - B). Unrecognize - Push file for analysis (Answer D - which is wrong in this case). https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010000.html
Check the flow diagram, it's B https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-2-3/User_Guide/b_ESA_Admin_Guide_14-2-3/b_ESA_Admin_Guide_12_1_chapter_010001.html#con_1809437
Alright have to do some process of elimination on this one A(wrong)- quarantining the files is not the answer because that would be temporarily "dropping" them while talos looks them up and that is not the case. they are getting though. https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_01100.html B(wrong)- the email has a "undetermined verdict" which means it wouldnt be assigned a threshold to be below C(Wrong)- the email has a "undetermined verdict" which means it wouldnt be assigned a threshold to be above D(correct)- only option left
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_010000.html undetermined verdict below threshold on reputation score so delivered
B looks correct. "undetermined verdict" is located right before scoring within the "Recognized File" process under reputational service. once a file has undetermind verdict, there are only 2 options below, deliver or drop based on the reputation score. for D, I am not sure if you can make a policy to disable fily analysis service....you can enable or disable the service optionally....
How are SenderBase Reputation Scores (SBRS) determined, and what do they mean? SenderBase scores are assigned to IP addresses based on a combination of factors, including email volume and reputation. Reputation scores in SenderBase may range from -10 to +10, reflecting the likelihood that a sending IP address is trying to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.
C is the correct answer. Cheers
Maybe the “newly installed service” in this Qmentions about Advanced Malware Protection (AMP) which can be used along with ESA. AMP allows superior protection across the attack continuum.
If the file is known to the reputation service but there is insufficient information for a definitive verdict, the reputation service returns a reputation score based on characteristics of the file such as threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation threshold, the appliance applies the action that you have configured in the mail policy for files that contain malware .
In the scenario described in the question, the issue is that the Cisco ESA is not dropping files that have an undetermined verdict. The undetermined verdict means that the reputation service did not have enough information to determine the file's reputation score. When the Cisco ESA encounters a file with an undetermined verdict, it checks the message filter to determine the action to take. If the message filter is configured to quarantine the message, then the file will be sent to the quarantine area, even if the reputation score is undetermined.
Option B is correct. Above figure 1 on the already shared link is the explanation.
I would go with D. When a file's reputation verdict is undetermined, it means that the Cisco ESA's file analysis feature could not determine the reputation of the file. In a typical configuration, the Cisco ESA would have the ability to drop or quarantine files based on their reputation verdicts. However, if the policy is set to disable file analysis, it means that the Cisco ESA is not analyzing the files and therefore cannot drop them based on their reputation. Therefore, option D is the most likely cause of the issue described in the scenario.