Cisco Cisco Firepower Management Center 4000
33-8
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding Malware Protection and File Control
Note that because FireAMP malware detection is performed at the endpoint at download or execution
time, while managed devices detect malware in network traffic, the information in the two types of
malware events is different. For example, endpoint-based malware events contain information on file
path, invoking client application, and so on, while malware detections in network traffic contain port,
application protocol, and originating IP address information about the connection used to transmit the
file.
time, while managed devices detect malware in network traffic, the information in the two types of
malware events is different. For example, endpoint-based malware events contain information on file
path, invoking client application, and so on, while malware detections in network traffic contain port,
application protocol, and originating IP address information about the connection used to transmit the
file.
As another example, for network-based malware events, user information represents the user most
recently logged into the host where the malware was destined, as determined by network discovery. On
the other hand, FireAMP-reported users represent the user currently logged into the endpoint where the
malware was detected, as determined by the local connector.
recently logged into the host where the malware was destined, as determined by network discovery. On
the other hand, FireAMP-reported users represent the user currently logged into the endpoint where the
malware was detected, as determined by the local connector.
Note
The IP addresses reported in endpoint-based malware events may not be in your network map—and may
not even be in your monitored network. Depending on your deployment, network architecture, level of
compliance, and other factors, the endpoints where connectors are installed may not be the same hosts
as those monitored by your managed devices.
not even be in your monitored network. Depending on your deployment, network architecture, level of
compliance, and other factors, the endpoints where connectors are installed may not be the same hosts
as those monitored by your managed devices.
Note that because you cannot use a Malware license with a DC500, nor enable a Malware license on a
Series 2 device, you cannot use those appliances to capture or block individual files, submit files for
dynamic analysis, or view trajectories of files for which you conduct a malware cloud lookup.
Series 2 device, you cannot use those appliances to capture or block individual files, submit files for
dynamic analysis, or view trajectories of files for which you conduct a malware cloud lookup.
The following table summarizes the differences between the two strategies.
Table 33-3
Network vs Endpoint-Based Malware Protection Strategies
Feature
Network-Based
Endpoint-Based (FireAMP)
file type detection and
blocking method (file
control)
blocking method (file
control)
in network traffic, using access control and file
policies
policies
not supported
malware detection and
blocking method
blocking method
in network traffic, using access control and file
policies
policies
on individual endpoints, using an installed
connector that communicates with the Cisco
cloud
connector that communicates with the Cisco
cloud
network traffic inspected
traffic passing through a managed device
none; connectors installed on endpoints
directly inspect files
directly inspect files