We are using Sky ATP with our SRX 340 and I was curious about why a machine ended up on the Infected Hosts list. It was a false positive but when i look at the security logs generated by the SRX, I see two entries for events AAMW_ACTION_LOG and the they are in reference to the file that was downloaded. When I look at those messages it has a verdict-number field that = -1. Its my understanding that the verdict should be somewhere between 1-10. What does the -1 mean? In Sky ATP the file shows up as a score of 6. So im a bit confused why the security log message says -1 as the verdict for the file and Sky Atp says its a 6. Are the AAMW_ACTION_LOG messages i see each stage of the analysis in Sky ATP? Thanks for the help. Here is the syslog message i am talking about:
<14>1 2019-03-11T15:30:00.363Z SRX340Host RT_AAMW - AAMW_ACTION_LOG [email@example.com hostname="host.com" file-category="pdf" verdict-number="-1" action="PERMIT" list-hit="N/A" file-hash-lookup="FALSE" source-address="x.x.x.x" source-port="64014" destination-address="x.x.x.x" destination-port="443" protocol-id="6" application="HTTPS" nested-application="N/A" policy-name="Threat-Policy" username="N/A" roles="N/A" session-id-32="81554" source-zone-name="zone1" destination-zone-name="zone2" url="/url/to/something"]
When Sky ATP receives a file that it has not seen before, it will provide a verdict of -1, initially, as it scans the file through multiple AV and other engines. Once the file has been fully diagnosed, an updated verdict will be provided and sent to your SRX. In your logs, you should notice an updated verdict for this specific file.
from Sky ATP Admin Guide,https://www.juniper.net/documentation/en_US/release-independent/sky-atp/information-products/pathway-pages/admin/sky-atp-admin-guide.pdfCache Lookup (page 9)When a file is analyzed, a file hash is generated, and the results of the analysis are stored in a database. When a file is uploaded to the Sky ATP cloud, the first step is to check whether this file has been looked at before.If it has, the stored verdict is returned to the SRX Series device and there is no need to re-analyze the file. In addition to files scanned by Sky ATP, information about common malware files is also stored to provide faster response.Cache lookup is performed in realtime.All other techniques are done offline. This means that if the cache lookup does not return a verdict, the file is sent to the client system while the Sky ATP cloud continues to examine the file using the remaining pipeline techniques.If a later analysis returns a malware verdict, then the file and host are flagged.Sky ATP assigns a number between 0-10 to indicate the threat level of files scanned for malware and the threat level for infected hosts. See Table 4 on page 11.
Thank you Nellikka. Answered my question perfectly.