Table of Contents
Question
A company recently discovered an attack propagating throughout their Windows network via a file named abc123456789xyz.exe. The malicious file was uploaded to a Simple Custom Detection list in the AMP for Endpoints Portal and the currently applied policy for the Windows clients was updated to reference the detection list. Verification testing scans on known infected systems shows that AMP for Endpoints is not detecting the presence of this file as an indicator of compromise. What must be performed to ensure detection of the malicious file?
A. Check the box in the policy configuration to send the file to Cisco Threat Grid for dynamic analysis.
B. Upload the malicious file to the Blocked Application Control List.
C. Upload the SHA-256 hash for the file to the Simple Custom Detection List.
D. Use an Advanced Custom Detection List instead of a Simple Custom Detection List.
Answer
C. Upload the SHA-256 hash for the file to the Simple Custom Detection List.
Explanation
The correct answer is C. Upload the SHA-256 hash for the file to the Simple Custom Detection List.
The Simple Custom Detection List in AMP for Endpoints uses the SHA-256 hash of a file to identify it. If the SHA-256 hash of the malicious file is not uploaded to the list, then AMP for Endpoints will not be able to detect it.
The other options are incorrect. Option A, checking the box in the policy configuration to send the file to Cisco Threat Grid for dynamic analysis, will not ensure detection of the malicious file. Option B, uploading the malicious file to the Blocked Application Control List, will only prevent the file from being executed. Option D, using an Advanced Custom Detection List instead of a Simple Custom Detection List, is not necessary in this case.
Here are the steps on how to upload the SHA-256 hash of the malicious file to the Simple Custom Detection List in AMP for Endpoints:
- Go to the AMP for Endpoints portal.
- Click on Outbreak Control.
- Click on Simple.
- Click on Edit next to the Simple Custom Detection list that you want to add the malicious file to.
- In the Add SHA-256 field, paste the SHA-256 hash of the malicious file.
- Click on Save.
Once you have uploaded the SHA-256 hash of the malicious file to the Simple Custom Detection List, AMP for Endpoints will be able to detect it and block it from executing.
Reference
- Secure Endpoint User Guide.pdf (cisco.com)
- Microsoft Patch Tuesday — Jan. 2020: Vulnerability disclosures and Snort coverage (talosintelligence.com)
- CVE-2020-0601 – Security Update Guide – Microsoft – Windows CryptoAPI Spoofing Vulnerability
- January 14, 2020—KB4534273 (OS Build 17763.973) – Microsoft Support
- Configure a Simple Custom Detection List on the AMP for Endpoints Portal – Cisco
- Create an Advanced Custom Detection List in Cisco Secure Endpoint – Cisco
- Best Practice Guide for Advanced Malware Protection (AMP) on Cisco Email Security – Cisco
- Configure and Manage Exclusions in Cisco Secure Endpoint Connector – Cisco
Implementing and Operating Cisco Security Core Technologies 350-701 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Implementing and Operating Cisco Security Core Technologies 350-701 exam and earn Implementing and Operating Cisco Security Core Technologies 350-701 certification.