Jump to content

Cisco Talos File Reputation


Jon79
 Share

Recommended Posts

Hi there, how are you?

I've just joined this forum because I'm back to Immunet after a while and so far I really like the new version for its lightness :)

I have a question, related with the Cisco Talos File Reputation https://www.talosintelligence.com/talos_file_reputation
Does Immunet rely on this reputation center?

For example, if I search this SHA f1d0df0e6b4e050703056fa3cad9b690c45ee7d239d5a45faf3e0cdf6b0ebd20, the result is "malicious". Does this mean that Immunet will identify the file as malicious too?

My understanding is that Immunet uses 4 engines:

  1. Cisco AMP (cloud), which can't be disabled
  2. SPERO (machine learning), which can be disabled
  3. ETHOS (heuristic), which can be disabled
  4. ClamAV (signature-based), which can be disabled

My question is if the engine No. 1 is somehow related with Cisco Talos File Reputation.

Thanks and best regards,

Jon79

Edited by Jon79
Link to comment
Share on other sites

Guest Wookiee

if it's a known sha and is reporting malicious, clamav and immunet both should detect it based on the SHA.
Immunet doesn't rely on talos intelligence file rep but the same hashes searched for should be convicted on immunet. If that makes sense.

It should still flag.

Link to comment
Share on other sites

Guest Wookiee

I edited my previous response hopefully to make more sense and to correct what I previous said.

As far as ClamAV, you should report the file in question to clamav.net and select contact, for FP submissions so we can correct that.

Link to comment
Share on other sites

Well, so far I've used Immunet with ClamAV disabled since I'm always online when I use my PC.

It makes sense to me that Cisco Talos File Reputation and ClamAV are not related, what I'd like to know is if Cisco Talos File Reputation is anyhow related with the engine integrated (and without option to disable it) in Immunet (which I suppose is Cisco AMP, maybe in a different version compared with the one for business customers)

Link to comment
Share on other sites

Guest Wookiee

immunet does update the server based on the feeds of various sources (including talos intelligence).
AMP has a lot more features than Immunet, but does use part of Immunet as well as other products for detection and other things.
 

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...