With so many advanced detection engines, why does Cisco AMP$4$E still leverage SHA$256$ hashes to identify malware?

File hashes allow multiple components in the AMP architecture to quickly share information about a file, enabling the $$see it once, block it everywhere$$ capability.

File hashing is the easiest form of malware recognition.

Files presenting a SHA$256$ hash have likely been polymorphically encrypted in transit, and should immediately be presented to Threat Grid for dynamic analysis.

AMP$4$E$$s Spero engine can inspect SHA$256-$encrypted files for malware detection.