When submitting files to Cynic from the ATP or SEDR appliance, you receive different results

book

Article ID: 169983

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When testing the Cynic feature of the Advanced Threat Protection or Symantec Endpoint Detection and Response appliance, you may make small changes to the file to verify efficacy and that Cynic sees the same behavior each time. You also notice that if a file is submitted to Cynic, a veridtc will appear with no Modifications listed.

Cause

Due to the unpredictability of live malware, there is no guarantee of consistent behavior. In fact, many viruses, trojans and worms attempt various actions based on a number of different criteria. The main focus should be if the malicious verdict of the file is accurate or not.

When a Submit to Sandbox action is triggered, the appliance will first submit the SHA2 hash to Cynic to verify if there is already a pre-existing verdict. If there is a verdict cached from the past 30 days, Cynic will provide the verdict, but not the Modifications recorded in the initial analysis of the file matching that SHA2 hash.

Environment

Cynic is a Symantec technology that examines files in a cloud-based sandbox environment, analyzes, and reports each step of the behavior. Cynic uses machine-learning technology to compare the results to known bad attributes. It then correlates your data with real-world data provided by the Symantec Global Intelligence Network to determine if the files are malicious.

Resolution

Cynic verdicts do not affect the AV functions of the local SEP client. The SEP client will continue to use local virus defnitions, SONAR and Insight submissions, and IPS rules to detect malware and malicious activity.

If you suspect a False Positive or Missed Detection, please review this KB document for submitting the file to Symantec Security Response for analysis: https://support.symantec.com/en_US/article.TECH102419.html.