Insight/Reputation may return a different Disposition verdict on a specific file than Cynic™.
In some cases, a file may get a Suspicious Disposition returned by Reputation, but a Clean when submitted to Cynic™
Advanced Threat Protection (ATP)
This is working as designed.
Insight convicts a file based on its reputation only (prevalence, source, file hash, etc.) and is not based on file analysis.
(For more information see Reputation Based Security)
Cynic™ analyzes the file when submitted:
Cynic™ analysis and virtual execution detonates files in a cloud-based sandbox environment, analyzes, and reports each step of the observed behavior. Cynic uses machine-learning technology to compare the results to known bad attributes. It then correlates your data with real-world data provided by the Symantec Global Intelligence Network to determine if the files are malicious.
While Cynic™ is very effective, its results could potentially affect the Insight technology for everyone, and it is therefore not appropriate for it to update the Global Intelligence Network or Insight.
To avoid seeing these specific files as suspicious in ATP, they can be whitelisted in ATP.