Cisco Cisco Firepower Management Center 4000
33-5
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding Malware Protection and File Control
Using Captured Files, File Events, and Malware Events for Analysis
The system generates malware and file events when files are transferred or blocked. It also collects
information on any files captured by a managed device. You can view these events and information using
the Defense Center‘s web interface. Additionally, the Context Explorer and the dashboard provide you
with different types of high-level views of the files (including malware files) detected by your
organization.
information on any files captured by a managed device. You can view these events and information using
the Defense Center‘s web interface. Additionally, the Context Explorer and the dashboard provide you
with different types of high-level views of the files (including malware files) detected by your
organization.
To further target your analysis, the network file trajectory feature allows you to track individual files’
paths of transmission. A file’s trajectory page displays summary information about the file, a graphical
map of the file’s transmission from host to host (including blocked transmissions), and a list of the
malware or file events associated with the detection or blocking of those files.
paths of transmission. A file’s trajectory page displays summary information about the file, a graphical
map of the file’s transmission from host to host (including blocked transmissions), and a list of the
malware or file events associated with the detection or blocking of those files.
Note that because you cannot use a Malware license with a DC500, nor enable a Malware license on a
Series 2 device, you cannot use those appliances to capture or block individual files, submit files for
dynamic analysis, or view file trajectories for files for which you conduct a malware cloud lookup.
Series 2 device, you cannot use those appliances to capture or block individual files, submit files for
dynamic analysis, or view file trajectories for files for which you conduct a malware cloud lookup.
For more information, see the following sections:
•
•
•
•
•
Configuring Malware Protection and File Control
License:
Protection or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
You configure malware protection and file control as part of your overall access control configuration
by associating file policies with access control rules. This association ensures that before the system
passes a file in traffic that matches an access control rule’s conditions, it first inspects the file.
by associating file policies with access control rules. This association ensures that before the system
passes a file in traffic that matches an access control rule’s conditions, it first inspects the file.
A file policy, like its parent access control policy, contains rules that determine how the system handles
files that match the conditions of each rule. You can configure separate file rules to take different actions
for different file types, application protocols, or directions of transfer.
files that match the conditions of each rule. You can configure separate file rules to take different actions
for different file types, application protocols, or directions of transfer.
When a file matches a rule, the rule can:
•
allow or block files based on simple file type matching
•
block files based on malware file disposition
•
capture files and store them to the device
•
submit captured files for dynamic analysis
In addition, the file policy can:
•
automatically treat a file as if it is clean or malware based on entries in the clean list or custom
detection list
detection list
•
treat a file as if it is malware if the file’s threat score exceeds a configurable threshold
As a simple example, you could implement a file policy that blocks your users from downloading
executable files. As another example, you could examine downloaded PDFs for malware and block any
instances you find. For detailed information on file policies and associating them with access control
executable files. As another example, you could examine downloaded PDFs for malware and block any
instances you find. For detailed information on file policies and associating them with access control