Cisco Cisco Firepower Management Center 2000
34-4
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Dynamic Analysis
Downloading Stored Files to Another Location
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
Once a device stores a file, as long as the Defense Center can communicate with that device and it has
not deleted the file, you can download the file. You can manually analyze the file, or download it to a
local host for long-term storage and analysis. You can download a file from any associated file event,
malware event, captured file view, or the file’s trajectory. For more information, see
not deleted the file, you can download the file. You can manually analyze the file, or download it to a
local host for long-term storage and analysis. You can download a file from any associated file event,
malware event, captured file view, or the file’s trajectory. For more information, see
Because malware is harmful, by default, you must confirm every file download. However, you can
disable the confirmation in the file download prompt. To re-enable the confirmation, see
disable the confirmation in the file download prompt. To re-enable the confirmation, see
Caution
Cisco strongly recommends you do not download malware, as it can cause adverse consequences.
Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any
necessary precautions to secure the download destination before downloading files.
Exercise caution when downloading any file, as it may contain malware. Ensure you have taken any
necessary precautions to secure the download destination before downloading files.
Because files with a disposition of Unknown may contain malware, when you download a file, the
system first archives the file in a .zip package. The .zip file name contains the file disposition and file
type, if available, and SHA-256 value. You can password-protect the .zip file to prevent accidental
unpacking. To edit or remove the default .zip file password, see
system first archives the file in a .zip package. The .zip file name contains the file disposition and file
type, if available, and SHA-256 value. You can password-protect the .zip file to prevent accidental
unpacking. To edit or remove the default .zip file password, see
.
Working with Dynamic Analysis
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
To increase the accuracy of the cloud, and to provide additional malware analysis and threat
identification, you can submit eligible captured files to the Cisco cloud for dynamic analysis. The cloud
runs the file in a test environment and, based on the results, returns a threat score and dynamic analysis
summary report to the Defense Center. You can also submit eligible files to the cloud for Spero analysis,
which examines the file’s structure to supplement the malware identification.
identification, you can submit eligible captured files to the Cisco cloud for dynamic analysis. The cloud
runs the file in a test environment and, based on the results, returns a threat score and dynamic analysis
summary report to the Defense Center. You can also submit eligible files to the cloud for Spero analysis,
which examines the file’s structure to supplement the malware identification.
Submitting a file to the cloud for dynamic analysis depends on the type of file captured, as well as the
allowable minimum and maximum file sizes configured in the access control policy. You can submit:
allowable minimum and maximum file sizes configured in the access control policy. You can submit:
•
a file automatically for dynamic analysis if a file rule performs a malware cloud lookup on an
executable file and the file disposition is Unknown
executable file and the file disposition is Unknown
•
up to twenty-five files at once manually for dynamic analysis if stored and a supported file type, such
as PDFs, Microsoft Office documents, and others
as PDFs, Microsoft Office documents, and others
Once submitted, the files are queued for analysis in the cloud. You can view captured files and a file’s
trajectory to determine whether a file has been submitted for dynamic analysis. Note that each time a file
is submitted for dynamic analysis, the cloud analyzes the file, even if the first analysis generated results.
trajectory to determine whether a file has been submitted for dynamic analysis. Note that each time a file
is submitted for dynamic analysis, the cloud analyzes the file, even if the first analysis generated results.
For more information, see
and