Exam 350-701 topic 1 question 210 discussion

I found B a possibility Quarantine is only for unrecognised files. When file is undetermined, reputation score is checked. Reputation 1-59: Deliver file / Reputation 60-100: Block file So B looks correct. Look at - Figure 1. Advanced Malware Protection Workflow for Public-Cloud File Analysis Deployments https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010000.html

I am sure it is D. The policy was created to disable file analysis. When the reputation is not clear = undetermined, the file should be send for file analysis. It is not happening, so the file is not dropped.

Based on the Cisco documentation, files with an undetermined verdict (i.e., "Unscannable" or files without sufficient reputation data) can be configured to either be sent for further analysis or quarantined. If no policy action is set to quarantine or analyze such files, they may be released to the recipient. Given this, the most likely reason for the issue you're describing is: D. The policy was created to disable file analysis. Disabling file analysis would prevent undetermined verdicts from being processed correctly, leading to files not being dropped or quarantined as expected. https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-2-3/User_Guide/b_ESA_Admin_Guide_14-2-3/b_ESA_Admin_Guide_12_1_chapter_010001.html#con_1809437

Check the flow diagram, it's B https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-2-3/User_Guide/b_ESA_Admin_Guide_14-2-3/b_ESA_Admin_Guide_12_1_chapter_010001.html#con_1809437

The correct answer is B (it took me long to understand that) There is a difference between "Undetermined" (from the question), and "Unrecognized". Undetermined - It checks the file score (Which is in the question - Right answer - B). Unrecognize - Push file for analysis (Answer D - which is wrong in this case). https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010000.html

I would go with D. When a file's reputation verdict is undetermined, it means that the Cisco ESA's file analysis feature could not determine the reputation of the file. In a typical configuration, the Cisco ESA would have the ability to drop or quarantine files based on their reputation verdicts. However, if the policy is set to disable file analysis, it means that the Cisco ESA is not analyzing the files and therefore cannot drop them based on their reputation. Therefore, option D is the most likely cause of the issue described in the scenario.

Option B is correct. Above figure 1 on the already shared link is the explanation.

In the scenario described in the question, the issue is that the Cisco ESA is not dropping files that have an undetermined verdict. The undetermined verdict means that the reputation service did not have enough information to determine the file's reputation score. When the Cisco ESA encounters a file with an undetermined verdict, it checks the message filter to determine the action to take. If the message filter is configured to quarantine the message, then the file will be sent to the quarantine area, even if the reputation score is undetermined.

If the file is known to the reputation service but there is insufficient information for a definitive verdict, the reputation service returns a reputation score based on characteristics of the file such as threat fingerprint and behavioral analysis. If this score meets or exceeds the configured reputation threshold, the appliance applies the action that you have configured in the mail policy for files that contain malware .

Maybe the “newly installed service” in this Qmentions about Advanced Malware Protection (AMP) which can be used along with ESA. AMP allows superior protection across the attack continuum.

C is the correct answer. Cheers

Answer B guys, please refer to the Figure 1. Advanced Malware Protection Workflow for Public-Cloud File Analysis Deployments The undetermined verdict with score 1- 59 will delivery the file to user The undetermined verdict with score 60- 100 will block the file So answer C, the reputation score is above the threshold is correct ! https://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/415001-416000/415734.tif/_jcr_content/renditions/415734.jpg

it is the reputation of the file that is being inspected, for an indeterminate verdict a score is set from 0 to 100 - C, its correct. https://www.cisco.com/c/en/us/td/docs/security/ces/user_guide/esa_user_guide/b_ESA_Admin_Guide_ces_11_0/b_ESA_Admin_Guide_chapter_010000.pdf

How are SenderBase Reputation Scores (SBRS) determined, and what do they mean? SenderBase scores are assigned to IP addresses based on a combination of factors, including email volume and reputation. Reputation scores in SenderBase may range from -10 to +10, reflecting the likelihood that a sending IP address is trying to send spam. Highly negative scores indicate senders who are very likely to be sending spam; highly positive scores indicate senders who are unlikely to be sending spam.

B looks correct. "undetermined verdict" is located right before scoring within the "Recognized File" process under reputational service. once a file has undetermind verdict, there are only 2 options below, deliver or drop based on the reputation score. for D, I am not sure if you can make a policy to disable fily analysis service....you can enable or disable the service optionally....

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_010000.html undetermined verdict below threshold on reputation score so delivered

Pay attention to "undetermined verdict" (not "unrecognized file"). Policy can not disable File Analysis service (so D can not be the correct answer), but it can send messages with unknown attachments to quarantine while file analysis is performed. After undetermined verdict for known file, reputation score is calculated, and if bellow threshold (60), message is sent to the recipient (B - correct answer). If file analysis service is enabled (you can not disable file analysis in the policy) and the file is defined as unrecognized (unknown), at the same time policy is set to send unrecognized files to quarantine during file analysis, then potentially this file could be defined as malicious (after sand-boxing) and for that reason not delivered to the recipient.