Guest

Preview Tool

Cisco Bug: CSCvu21403 - ESA Preclassification engine misclassifies dynamic content documents as LOWRISK

Last Modified

Jul 29, 2020

Products (1)

  • Cisco Email Security Appliance

Known Affected Releases

12.5.1-031 12.5.1-037

Description (partial)

Symptom:
ESA's preclassification engine is marking document files with dynamic content as LOWRISK under the guise of no active or dynamic contents seen.

This is verified inside the amp_logs:
Tue May 12 07:38:57 2020 Info:   File reputation query initiating. File Name = 'filename.xls', MID = 423317, File Size = 278528 bytes, File Type = application/vnd.ms-excel
Tue May 12 07:38:58 2020 Info:   Response received for file reputation query from Cloud. File Name = 'filename.xls', MID = 423317, Disposition = LOWRISK, Malware = None, Analysis Score = 0, sha256 = {removed the SHA values}, upload_action = Recommended to send the file for analysis
Tue May 12 07:38:58 2020 Info:   File not uploaded for analysis.  MID = 423317, File SHA256[{removed the SHA values}], File mime[application/vnd.ms-excel], Reason: No active/dynamic contents exists

Conditions:
AMP with file analysis is enabled against Document Files.
The file in question needs to have active dynamic content/macros embedded inside it.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.