Exam 350-701 topic 1 question 57 discussion

i would go with C here because it looks like they are refering to the "custom detection list" from FMC(Firepower) which is part of the File Policy. With this you can do the following: Override File Disposition Using Custom Lists If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list that overrides the disposition from the cloud: To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list. To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list. On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/file_policies_and_advanced_malware_protection.html

C. Upload the hash for the file into the policy. When a custom file detection policy is created in order to track a specific file, it is necessary to ensure that the file is being properly detected by the security scans. One way to do this is by uploading the hash of the file into the policy. The hash, also known as a digital fingerprint, is a unique identification code that is specific to a file. By including the hash of the infected file in the policy, the scans will be able to detect the file based on its unique characteristics, even if the file has been modified or renamed. This ensures that the policy is functioning as it should and that the infected file will be detected in the future. Although options like blocking the application that the file was using to open, sending the file to Cisco Threat Grid for dynamic analysis or creating an IP block list for the website from which the file was downloaded are good options to prevent the attack but they are not related to the custom file detection policy functionality.

C is correct

The correct answer is C. Upload the hash for the file into the policy. Option A is not an appropriate response to ensure the policy is functioning, as it involves blocking an IP address rather than detecting the file. Option B is also not an appropriate response, as blocking the application used to open the file may not prevent the file from being downloaded or executed on the endpoint. Option D is a good practice for threat analysis, but it does not address the issue of the custom file detection policy not detecting the file as an indicator of compromise. Uploading the hash of the file into the policy is a more direct approach to ensuring the policy is functioning as it should.

It should be D

The correct answer is D

C, configuring the policy doesn't imply it was configured correctly, add the file hash using sha 256/ OCG: Simple custom detection allows you to add file signatures, while the advanced custom detections are more like traditional antivirus signatures. Creating a simple custom detection is similar to adding new entries to a blacklist. You define one or more files that you are trying to quarantine by building a list of SHA-256 hashes. If you already have the SHA-256 hash of a file, you can paste that hash directly into the UI, or you can upload files directly and allow the cloud to create the SHA-256 hash for you. To create a simple custom detection, navigate to Outbreak Control > Custom Detections > Simple and the list of all existing simple custom detections appears, as shown in Figure 11-3. To add a new one, you must type it in the Name box and click Save, as shown in Figure 11-3.

Answer is C because question is regarding making custom policy work. By adding hash of file the policy will start working as it should. What must be done in order to ensure that the policy created is functioning as it should?

I prefer C

I would vote for D Because these products are designed to work in automatic way so we have to send file to 'threat grid' , and threat grid will automatically update the hash value to AMP database where our device gets updates about threats.

For both AMP for endpoints and AMP under Firepower there's no way upload the hash for the file into the policy. This gives us an option of D - dynamic analysis with threat grid

Definitely no to A and B. Also not D because we are not sending every single file to threat-grid for analysis as this is not necessary. See documentation on Custom Detection Lists. Answer is C

Im thinking D. If the file is still considered unknown then the hash failed to get a positive ID through AMP so it needs dynamic analysis by sending it to threat grid for sandboxing.

I believe the answer is C, they already created a custom file, and the scans can’t discover it, so they need to upload the hash for the scans to detect it because the scans needs some help to identify the malicious file, and nothing better than the hash in this scenario.

I vote for D, since this is Cisco exam and traditional IoCs are not seemed effective

I think it is A