Jump to content
Sign in to follow this  
Jon79

Cisco Talos File Reputation

Recommended Posts

Hi there, how are you?

I've just joined this forum because I'm back to Immunet after a while and so far I really like the new version for its lightness :)

I have a question, related with the Cisco Talos File Reputation https://www.talosintelligence.com/talos_file_reputation
Does Immunet rely on this reputation center?

For example, if I search this SHA f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20, the result is "malicious". Does this mean that Immunet will identify the file as malicious too?

My understanding is that Immunet uses 4 engines:

  1. Cisco AMP (cloud), which can't be disabled
  2. SPERO (machine learning), which can be disabled
  3. ETHOS (heuristic), which can be disabled
  4. ClamAV (signature-based), which can be disabled

My question is if the engine No. 1 is somehow related with Cisco Talos File Reputation.

Thanks and best regards,

Jon79

Edited by Jon79

Share this post


Link to post
Share on other sites

if it's a known sha and is reporting malicious, clamav and immunet both should detect it based on the SHA.
Immunet doesn't rely on talos intelligence file rep but the same hashes searched for should be convicted on immunet. If that makes sense.

It should still flag.

Share this post


Link to post
Share on other sites

I edited my previous response hopefully to make more sense and to correct what I previous said.

As far as ClamAV, you should report the file in question to clamav.net and select contact, for FP submissions so we can correct that.

Share this post


Link to post
Share on other sites

Well, so far I've used Immunet with ClamAV disabled since I'm always online when I use my PC.

It makes sense to me that Cisco Talos File Reputation and ClamAV are not related, what I'd like to know is if Cisco Talos File Reputation is anyhow related with the engine integrated (and without option to disable it) in Immunet (which I suppose is Cisco AMP, maybe in a different version compared with the one for business customers)

Share this post


Link to post
Share on other sites

immunet does update the server based on the feeds of various sources (including talos intelligence).
AMP has a lot more features than Immunet, but does use part of Immunet as well as other products for detection and other things.
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...