Ironport - File reputation question

Oscar Soto · ‎09-12-2016

Hi, Enabling the File reputation but not the File analysis would make the ironport to upload all the files to the cloud?

On the documentation it says enabling the file analysis makes the devide upload the file for further inspection but I'd like to know if disabling the file analysis would not upload any file to the amp cloud. On the logs (tail amp) I can see the lines ending with 'upload_action = 1'

Any help please? Thanks

Libin Varghese · ‎09-12-2016

Hi,

File reputation alone would not upload files to the cloud for analysis.

There is a reputation keep alive file amp_watchdog.txt which would still appear in the amp logs with upload-action = 1. However I do not suspect other attachments for emails to be uploaded for analsyis with file analysis turned off.

Thanks
Libin

dmccabej · ‎09-12-2016

To add on to what Libin has already stated, it is correct that you'll not be uploading files for File Analysis (ThreatGrid) while that feature is disabled. At that point, the only way you'll be receiving information about Malicious files is if the file is already known to the File Reputation servers when scanned, or if you receive a Retrospective Verdict back about a file that was originally identified as Clean/Unknown and we now know it to be Malicious.

We do have on-premise ThreatGrid appliances available if your concern is regarding uploading files to the cloud.

Thanks!

-Dennis M.

Oscar Soto · ‎09-13-2016

Thank you both for the help.

Thanks