350-701 · Question #327
An engineer adds a custom detection policy to a Cisco AMP deployment and encounters issues with the configuration. The simple detection mechanism is configured, but the dashboard indicates that the ha
The correct answer is C. The engineer is attempting to upload a hash created using MD5 instead of SHA-256. The error indicating a hash is not 64 characters suggests that the engineer is trying to upload an MD5 hash (32 characters) instead of the expected SHA-256 hash (64 characters) for Cisco AMP custom detection policies.
Question
An engineer adds a custom detection policy to a Cisco AMP deployment and encounters issues with the configuration. The simple detection mechanism is configured, but the dashboard indicates that the hash is not 64 characters and is non-zero. What is the issue?
Options
- AThe hash being uploaded is part of a set in an incorrect format
- BThe file being uploaded is incompatible with simple detections and must use advanced detections
- CThe engineer is attempting to upload a hash created using MD5 instead of SHA-256
- DThe engineer is attempting to upload a file instead of a hash
How the community answered
(41 responses)- A5% (2)
- B17% (7)
- C71% (29)
- D7% (3)
Why each option
The error indicating a hash is not 64 characters suggests that the engineer is trying to upload an MD5 hash (32 characters) instead of the expected SHA-256 hash (64 characters) for Cisco AMP custom detection policies.
While incorrect formatting is a possibility, the specific 'not 64 characters' length points directly to the hash algorithm used, rather than a generic format issue for a set.
The question explicitly states a 'hash' is being uploaded and that 'simple detection' is configured, not a file, so this is not the issue.
Cisco AMP (Secure Endpoint) primarily utilizes SHA-256 hashes, which are 64 hexadecimal characters long, for custom simple detections; an MD5 hash is only 32 characters, leading to the specified error.
The error message specifically refers to a 'hash' not being 64 characters, indicating that a hash was provided, albeit an incorrect one, not a file.
Concept tested: Cisco AMP custom detection hash requirements
Source: https://www.cisco.com/c/en/us/td/docs/security/amp/amp-for-endpoints/amp-mac-deployment/amp_mac_deployment_guide/amp_mac_deployment_guide_chapter_0100.html
Topics
Community Discussion
No community discussion yet for this question.