Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
2
Replies

ways to reduce AMP uploads and/or mark mails that were not uploaded

Go to solution
daro
Level 1
Level 1

‎03-12-2017 11:49 AM

Hello,

we are currently using the default upload amount of 100 files per 24hours without any additional ThreatGrid subscription and recently noticed that we are running into the upload limit quite fast.

Besides limiting the file types in the AMP setting what else could I do to limit those uploads?

example which is currently subpar:

we are using a custom macro filter for microsoft documents with a combination of a message filter and then a content filter. We did it that way to have two actions for different recipients.(edit subject and attachment stripping) 

This content filter matches rarely due to the other engines (mostly AMP) intervening.

I am aware of the skip-ampcheck command on the message filter level, but with that malicious messages still can get to the "edit subject" group because I cant define recipients in message filters (except with a 'rcpt-to-dictionary-match', but that is just uncool to manage)

In addition to that would you know a way to filter messages that were scanned by the file reputation and marked for the file upload, but actually were not uploaded? can we somehow make a content filter with the X-Headers of AMP?

thanks
cheers
Daniel

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-13-2017 07:50 AM

Hi Daniel,

Besides limiting the file types in the AMP setting you could think of disabling AMP for trusted senders by creating a separate incoming mail policy for them.

I found a defect with the X-AMP-File-Uploaded header, hence that cannot be used at the moment for tracking files uploaded.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd18674/?reffering_site=dumpcr

You would need to manually review the amp logs to narrow down attachments that were not uploaded.

grep "upload_action = 2" amp

Sample output
Thu Feb 16 13:36:05 2017 Info: Response received for file reputation query from Cache. File Name = 'AMPDemoTest.doc', MID = 650, Disposition = FILE UNKNOWN, Malware = None, Reputation Score = 0, sha256 = 9ec36c510fcc745d37fc10f00f67bed83d4d9c23670b4bedb3a2ff8e4dffa7c8, upload_action = 2

You could also push a copy of the amp logs to a syslog server to use third party tools to parse the logs for the required information.

Thank You!
Libin Varghese

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎03-13-2017 07:50 AM

Hi Daniel,

Besides limiting the file types in the AMP setting you could think of disabling AMP for trusted senders by creating a separate incoming mail policy for them.

I found a defect with the X-AMP-File-Uploaded header, hence that cannot be used at the moment for tracking files uploaded.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd18674/?reffering_site=dumpcr

You would need to manually review the amp logs to narrow down attachments that were not uploaded.

grep "upload_action = 2" amp

Sample output
Thu Feb 16 13:36:05 2017 Info: Response received for file reputation query from Cache. File Name = 'AMPDemoTest.doc', MID = 650, Disposition = FILE UNKNOWN, Malware = None, Reputation Score = 0, sha256 = 9ec36c510fcc745d37fc10f00f67bed83d4d9c23670b4bedb3a2ff8e4dffa7c8, upload_action = 2

You could also push a copy of the amp logs to a syslog server to use third party tools to parse the logs for the required information.

Thank You!
Libin Varghese

0 Helpful

Go to solution
daro
Level 1
Level 1
In response to Libin Varghese

‎03-15-2017 02:30 PM

thanks for the information.
it really seems that as of now the only possible way to determine the use of AMP is to forward the logs to a syslog server and search there.

I really hope that there will be some kind of reporting feature in the coming releases.
kind regards
Daniel

0 Helpful
Customers Also Viewed These Support Documents