Cisco Cisco Firepower Management Center 4000
33-4
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding Malware Protection and File Control
Understanding File Dispositions
The system determines file dispositions based on the disposition returned by the Cisco cloud. A file can
have one of the following file dispositions returned by the Cisco cloud, as a result of addition to a file
list, or due to threat score:
have one of the following file dispositions returned by the Cisco cloud, as a result of addition to a file
list, or due to threat score:
•
Malware
indicates that the cloud categorized the file as malware, or that the file’s threat score
exceeded the malware threshold defined in the file policy.
•
Clean
indicates that the cloud categorized the file as clean, or that a user added the file to the clean
list.
•
Unknown
indicates that a malware cloud lookup occurred before the cloud assigned a disposition. The
cloud has not categorized the file.
•
Custom Detection
indicates that a user added the file to the custom detection list.
•
Unavailable
indicates that the Defense Center could not perform a malware cloud lookup.
Tip
If several recent malware events have the disposition
Unavailable
, check the cloud connection and port
configuration. For more information, see
.
Based on the file disposition, the Defense Center instructs the managed device either to block the file or
to allow its upload or download. To improve performance, if the system already knows the disposition
for a file based on its SHA-256 value, the Defense Center uses the cached disposition rather than
querying the Cisco cloud.
to allow its upload or download. To improve performance, if the system already knows the disposition
for a file based on its SHA-256 value, the Defense Center uses the cached disposition rather than
querying the Cisco cloud.
Note that file dispositions can change. For example, the cloud can determine that a file that was
previously thought to be clean is now identified as malware, or the reverse—that a malware-identified
file is actually clean. When the disposition changes for a file for which you performed a malware lookup
in the last week, the cloud notifies the Defense Center so the system can take appropriate action the next
time it detects that file being transmitted. A changed file disposition is called a retrospective disposition.
previously thought to be clean is now identified as malware, or the reverse—that a malware-identified
file is actually clean. When the disposition changes for a file for which you performed a malware lookup
in the last week, the cloud notifies the Defense Center so the system can take appropriate action the next
time it detects that file being transmitted. A changed file disposition is called a retrospective disposition.
File dispositions returned from a malware cloud lookup, and any associated threat scores, have a
time-to-live (TTL) value. After a file disposition has been held for the duration specified in the TTL
value without update, the system purges the cached information. Dispositions and associated threat
scores have the following TTL values:
time-to-live (TTL) value. After a file disposition has been held for the duration specified in the TTL
value without update, the system purges the cached information. Dispositions and associated threat
scores have the following TTL values:
•
Clean — 4 hours
•
Unknown — 1 hour
•
Malware — 1 hour
If a malware cloud lookup against the cache identifies a cached disposition that timed out, the system
performs a fresh lookup to determine a file disposition.
performs a fresh lookup to determine a file disposition.
Understanding File Control
If your organization wants to block not only the transmission of malware files, but all files of a specific
type (regardless of whether the files contain malware), the file control feature allows you to cast a wider
net. As with malware protection, managed devices monitor network traffic for transmissions of specific
file types, then either block or allow the file.
type (regardless of whether the files contain malware), the file control feature allows you to cast a wider
net. As with malware protection, managed devices monitor network traffic for transmissions of specific
file types, then either block or allow the file.
File control is supported for all file types where the system can detect malware, plus many additional
file types. These file types are grouped into basic categories, including multimedia (swf, mp3),
executables (exe, torrent), and PDFs. Note that file control, unlike malware protection, does not require
queries of the Cisco cloud.
file types. These file types are grouped into basic categories, including multimedia (swf, mp3),
executables (exe, torrent), and PDFs. Note that file control, unlike malware protection, does not require
queries of the Cisco cloud.