search cancel

Advanced Threat Protection Cynic™Sandbox and Insight/Reputation File Disposition Differences

book

Article ID: 163469

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

Insight/Reputation may return a different Disposition verdict on a specific file than Cynic™.
In some cases, a file may get a Suspicious Disposition returned by Reputation, but a Clean when submitted to Cynic™

Advanced Threat Protection (ATP)

Resolution

This is working as designed.

Insight convicts a file based on its reputation only (prevalence, source, file hash, etc.) and is not based on file analysis.
(For more information see  Reputation Based Security)

Cynic™ analyzes the file when submitted:
Cynic™ analysis and virtual execution detonates files in a cloud-based sandbox environment, analyzes, and reports each step of the observed behavior. Cynic uses machine-learning technology to compare the results to known bad attributes. It then correlates your data with real-world data provided by the Symantec Global Intelligence Network to determine if the files are malicious.

While Cynic™ is very effective, its results could potentially affect the Insight technology for everyone, and it is therefore not appropriate for it to update the Global Intelligence Network or Insight.

To avoid seeing these specific files as suspicious in ATP, they can be whitelisted in ATP.