Jon79 Posted February 11, 2019 Report Share Posted February 11, 2019 (edited) Hi there, how are you? I've just joined this forum because I'm back to Immunet after a while and so far I really like the new version for its lightness I have a question, related with the Cisco Talos File Reputation https://www.talosintelligence.com/talos_file_reputationDoes Immunet rely on this reputation center? For example, if I search this SHA f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20, the result is "malicious". Does this mean that Immunet will identify the file as malicious too? My understanding is that Immunet uses 4 engines: Cisco AMP (cloud), which can't be disabled SPERO (machine learning), which can be disabled ETHOS (heuristic), which can be disabled ClamAV (signature-based), which can be disabled My question is if the engine No. 1 is somehow related with Cisco Talos File Reputation. Thanks and best regards, Jon79 Edited February 11, 2019 by Jon79 Link to comment Share on other sites More sharing options...
Guest Wookiee Posted February 11, 2019 Report Share Posted February 11, 2019 if it's a known sha and is reporting malicious, clamav and immunet both should detect it based on the SHA. Immunet doesn't rely on talos intelligence file rep but the same hashes searched for should be convicted on immunet. If that makes sense. It should still flag. Link to comment Share on other sites More sharing options...
Jon79 Posted February 11, 2019 Author Report Share Posted February 11, 2019 Thanks for your answer If you look at virustotal with the SHA I wrote before, ClamAV reports it as "clean", but Cisco Talos File Reputation reports it as "malicious", that's why I asked that question https://www.virustotal.com/#/file/f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20/detection Link to comment Share on other sites More sharing options...
Guest Wookiee Posted February 11, 2019 Report Share Posted February 11, 2019 I edited my previous response hopefully to make more sense and to correct what I previous said. As far as ClamAV, you should report the file in question to clamav.net and select contact, for FP submissions so we can correct that. Link to comment Share on other sites More sharing options...
Jon79 Posted February 11, 2019 Author Report Share Posted February 11, 2019 Well, so far I've used Immunet with ClamAV disabled since I'm always online when I use my PC. It makes sense to me that Cisco Talos File Reputation and ClamAV are not related, what I'd like to know is if Cisco Talos File Reputation is anyhow related with the engine integrated (and without option to disable it) in Immunet (which I suppose is Cisco AMP, maybe in a different version compared with the one for business customers) Link to comment Share on other sites More sharing options...
Guest Wookiee Posted February 11, 2019 Report Share Posted February 11, 2019 immunet does update the server based on the feeds of various sources (including talos intelligence). AMP has a lot more features than Immunet, but does use part of Immunet as well as other products for detection and other things. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now