Preview Tool

Cisco Bug: CSCvu21403 - ESA Preclassification engine misclassifies dynamic content documents as LOWRISK

Last Modified

Jul 29, 2020

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

12.5.1-031 12.5.1-037

Description (partial)

ESA's preclassification engine is marking document files with dynamic content as LOWRISK under the guise of no active or dynamic contents seen.

This is verified inside the amp_logs:
Tue May 12 07:38:57 2020 Info:   File reputation query initiating. File Name = 'filename.xls', MID = 423317, File Size = 278528 bytes, File Type = application/
Tue May 12 07:38:58 2020 Info:   Response received for file reputation query from Cloud. File Name = 'filename.xls', MID = 423317, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = {removed the SHA values}, upload_action = Recommended to send the file for analysis
Tue May 12 07:38:58 2020 Info:   File not uploaded for analysis.  MID = 423317, File SHA256[{removed the SHA values}], File mime[application/], Reason: No active/dynamic contents exists

AMP with file analysis is enabled against Document Files.
The file in question needs to have active dynamic content/macros embedded inside it.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.