I wrote the following article - which may be of assistance:
Testing Advanced Malware Protection (AMP) on ESA
With the release of AsyncOS 8.5 for the ESA, AMP performs file reputation scanning and file analysis, in order to detect malware in attachments.
In order to implement AMP, you will need to have a valid and active feature key for both File Reputation and File Analysis on your ESA. Please visit System Administration> Feature Keys on the GUI, or use featurekeys on the CLI, to verify the feature keys.
To enable the service, from the GUI, Security Services > File Reputation and Analysis. From the CLI, you can run ampconfig. Submit and commit your changes to the configuration.
Incoming Mail Policies
Once you have enabled the service, you will need to have this service tied to an incoming mail policy. Mail Policies > Incoming Mail Policiesand select your Default Policy, or pre-configured policy as needed. You will see the Advanced Malware Protection column on the Incoming Mail Polices page. Select the Disabled link for the column, and Enable File Reputation and Enable File Analysis on the options page. You can make any further configuration enhancements to message scanning, actions for un-scannable attachments, and actions for positively identified messages, as needed. Submit and commit your changes to the configuration.
Warning: Cisco cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer or network environment. YOU DOWNLOAD THESE FILES AT YOUR OWN RISK. Download these files only if you are sufficiently secure in the usage of your AV scanner, computer settings, and network environment. This information is provided as a courtesy for testing and reproduction purposes.
Using a valid a pre-configured email account, send the attachment through your ESA and normal processing. You can use the CLI of the ESA, and tail mail_logs to monitor the mail as it processes through. You should see similar to the following:
Also from the GUI, when using Message Tracking and the Advanced drop-down, you can choose to search for Advanced Malware Protection Positive message directly:
Advanced Malware Protection Reporting
From the ESA GUI, you will also see report tracking for positively identified messages through AMP. Click Monitor > Advanced Malware Protection and modify the time range as needed. You will now see similar, using the above examples for input:
If you are not seeing a known, true malware file being positively scanned by AMP, review the mail logs to assure that another service did not take action on the message and/or attachment before AMP scanned the message.
From the earlier example used, when Sophos Anti-virus is enabled, it actually catches and takes action on the attachment:
The Sophos Anti-virus configuration settings on the incoming mail policy are set to 'drop' for virus infected messages. In this instance, AMP is never reached to scan or take action on the attachment.
This is not always the case. A review of the mail logs and MIDs may be needed in order to assure that another service OR a content/message filter did not take action against the MID before AMP processing and action would have been reached.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :