Cisco Cisco Firepower Management Center 4000
5-32
FireSIGHT System User Guide
Chapter 5 Managing Reusable Objects
Working with File Lists
Working with File Lists
License:
Malware
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
Any except DC500
If you use network-based advanced malware protection (AMP), and the Collective Security Intelligence
Cloud incorrectly identifies a file’s disposition, you can add the file to a file list using a SHA-256 hash
value to better detect the file in the future. Depending on the type of file list, you can do the following:
Cloud incorrectly identifies a file’s disposition, you can add the file to a file list using a SHA-256 hash
value to better detect the file in the future. Depending on the type of file list, you can do the following:
•
To treat a file as if the cloud assigned a clean disposition, add the file to the clean list.
•
To treat a file as if the cloud assigned a malware disposition, add the file to the custom detection list.
Because you manually specify the blocking behavior for these files, the system does not perform
malware cloud lookups, even if the files are otherwise identified as malware by the cloud. Note that you
must configure a rule in the file policy with either a
malware cloud lookups, even if the files are otherwise identified as malware by the cloud. Note that you
must configure a rule in the file policy with either a
Malware Cloud Lookup
or
Block Malware
action and a
matching file type to calculate a file’s SHA value. For more information, see
The system’s clean list and custom detection list are included by default in every file policy. You can opt
not to use either or both lists on a per-policy basis.
not to use either or both lists on a per-policy basis.
Caution
Do not include files on this list that are actually malware. The system does not block them, even if the
cloud assigned the file’s a Malware disposition, or if you added the file to the custom detection list.
cloud assigned the file’s a Malware disposition, or if you added the file to the custom detection list.
Each file list can contain up to 10000 unique SHA-256 values. To add files to the file list, you can:
•
use the event viewer context menu to add a SHA-256 value.
•
upload a file so the system calculates and adds the file’s SHA-256 value.
•
enter a file’s SHA-256 value directly.
•
create and upload a comma-separated value (CSV) source file containing multiple SHA-256 values.
All non-duplicate SHA-256 values are added to the file list.
All non-duplicate SHA-256 values are added to the file list.
When you add a file to a file list, edit a SHA-256 value in the file list, or delete SHA-256 values from
the file list, you must reapply any access control policies with file policies that use the list for the changes
to take effect.
the file list, you must reapply any access control policies with file policies that use the list for the changes
to take effect.
Because adding a file to a file list affects access control, you must have one of the following to manage
all aspects of a file list:
all aspects of a file list:
•
Administrator access
•
a combination of Network Admin or Access Admin access (to edit the file list), Security Approver
access (to reapply access control policies), and Security Analyst or Security Analyst (RO) access (to
add a file using the SHA-256 value from the event view)
access (to reapply access control policies), and Security Analyst or Security Analyst (RO) access (to
add a file using the SHA-256 value from the event view)
•
a custom role with Modify Access Control Policy and Object Manager (to edit the file list), Apply
Access Control Policy (to reapply access control policies), and Modify File Events (to add a file
using the SHA-256 value from the event view) permissions; see
Access Control Policy (to reapply access control policies), and Modify File Events (to add a file
using the SHA-256 value from the event view) permissions; see
For more information on using file lists, see the following topics:
•
•