From the course: Cisco CCNP SCOR Security (350-701) Cert Prep: 3 Endpoint Protection and Secure Access

Dynamic file analysis

- [Instructor] We've already mentioned the fact that the dynamic nature of Cisco AMP offers more advanced protection as opposed to static point-in-time analysis offered by traditional antivirus solutions. When a file becomes present on any end point under the control of AMP, AMP will continuously watch the file and record the behavior and activity associated to the file, regardless of whether the file is deemed as good or bad. Anytime that behavior changes over time, AMP can quickly alert and remediate the threat. We can see information about this by going under the "Analysis" tab here at the top, and we can choose "File Analysis." From here, we're going to see a couple of categories listed. We see your files and global files. From under the "Your Files" area, we can see a history of the analyzed files. In addition to the automatic analysis features within AMP, we can also submit our own specific files that we're concerned with here for analysis. Notice that the third entry down that we see, there's a red skull listed here. Certainly nefarious. Let's expand this entry and see what we have under here. If we open that up and take a look at the information we see, we notice that this did have an overall threat score, listed on the right, of 95. We see that listed in red, and it is an antivirus flagged file. We can click the "Report" button on the right as well. And if we do that, that's going to open a new window with a more detailed view of the analysis report. So we can scroll down, and we can see information such as the operating system listed here. We can see that this was ran in a sandbox available to Cisco AMP for testing. We can see the file name, when the scan was started... And below that we see all of our behavioral indicators as well, ranked by severity and confidence. So for example, if we expand the remote manipulator system registry detected area, and we look under there, we see that this particular file has been observed as having the ability to use remote access. Certainly a concern. Below that, we see "Process modified a file in the system directory." If we expand that, we have more information exactly about what that means. File modification is an action often used by a malware to delete tracks by hiding logs or to hide an executable file somewhere on the system. If we continue to scroll down past our behavioral indicators, we're going to see information about DNS, about HTTPS traffic, TCPIP related information. We see related processes listed here. We see artifacts listed if we continue to scroll and much, much more. Lots of great information here. Let's close this report window out, and let's go to our main file analysis window once again. And let's look at that "Global Files" tab. If we click on that, this is going to include public files submitted by others, and it will also include private files submitted inside our own organization. Now, of course, any private files we submit, those are only going to be seen to us, only visible inside of our organization, but we can see any public information that was uploaded here as well. We can search at the top. We can search by a hash. We can search by file name, IP address, or key word. And we can also submit our own file publicly here as well. Similarly, we can click on any of these analysis reports that we have in place, and we're going to see the same information, very detailed information, about a particular file. Let's close this report. Let's go back to our "Your Files" section. And let's choose one of these dropdown arrows. And one other thing I want to show you... You'll notice in the menu that pops up when we click that, we have an option to choose file trajectory. So this is going to open up a window and show us an expanded view of the file across our environment. Now, this particular file has no history, being a lab environment, but if you have an offending file in production, this could show you the first end point that saw this file or saw this threat, as well as every other end point that came in contact. So this can help you determine the scope of your problem and also pinpoint the origin end point. So that's a look at the dynamic file analysis features of Cisco AMP, including a look at how we can perform manual file analysis and use file trajectory to trace an event.

Contents