Cisco Cisco Firepower Management Center 4000
33-11
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
Keep in mind that the system can perform file inspection on interactively blocked traffic only if the user
bypasses the warning and clicks through to the originally requested site. Otherwise, the connection is
denied without either file or intrusion inspection; see
bypasses the warning and clicks through to the originally requested site. Otherwise, the connection is
denied without either file or intrusion inspection; see
.
You can associate different file policies with individual access control rules in the same access control
policy. This allows you to match various file and malware detection profiles against different types of
traffic on your network. Note, however, that you cannot use a file policy to inspect traffic handled by
the access control default action.
policy. This allows you to match various file and malware detection profiles against different types of
traffic on your network. Note, however, that you cannot use a file policy to inspect traffic handled by
the access control default action.
Also note that because you cannot use a Malware license with a DC500, you cannot use that appliance
to apply file policies that perform network-based malware protection. Similarly, because you cannot
enable a Malware license on a Series 2 device, you cannot apply a file policy to those appliances that
performs network-based malware protection.
to apply file policies that perform network-based malware protection. Similarly, because you cannot
enable a Malware license on a Series 2 device, you cannot apply a file policy to those appliances that
performs network-based malware protection.
File and Intrusion Policy Interaction
You can associate both a file policy and an intrusion policy with an access control rule. When you do so,
note that the two policies interact in ways that may change how traffic is inspected.
note that the two policies interact in ways that may change how traffic is inspected.
File inspection occurs before any intrusion policy inspection; that is, the system does not inspect files
blocked by a file policy for intrusions. Within a file policy, simple blocking by type takes precedence
over malware inspection and blocking.
blocked by a file policy for intrusions. Within a file policy, simple blocking by type takes precedence
over malware inspection and blocking.
For example, consider a scenario where you normally want to allow certain network traffic as defined in
an access control rule. However, as a precaution, you want to block the download of executable files,
examine downloaded PDFs for malware and block any instances you find, and perform intrusion
inspection on the traffic. You create an access control policy with a rule that matches any traffic and that
is associated with both an intrusion policy and a file policy. The file policy has a rule that matches
downloaded PDFs and has a Block Files action. It has another rule that matches downloaded executable
files and has a Block Malware action. After you apply the policy:
an access control rule. However, as a precaution, you want to block the download of executable files,
examine downloaded PDFs for malware and block any instances you find, and perform intrusion
inspection on the traffic. You create an access control policy with a rule that matches any traffic and that
is associated with both an intrusion policy and a file policy. The file policy has a rule that matches
downloaded PDFs and has a Block Files action. It has another rule that matches downloaded executable
files and has a Block Malware action. After you apply the policy:
•
First, the system blocks the download of all PDF files, based on simple type matching specified in
the file policy. Because they are immediately blocked, these files are subject to neither malware
lookup nor intrusion inspection.
the file policy. Because they are immediately blocked, these files are subject to neither malware
lookup nor intrusion inspection.
•
Next, the system performs malware cloud lookups for executables downloaded to a host on your
network. Any executables with a malware file disposition are blocked, and are not subject to
intrusion inspection.
network. Any executables with a malware file disposition are blocked, and are not subject to
intrusion inspection.
•
Finally, the system uses the intrusion policy associated with the access control rule to inspect any
remaining traffic, including files not blocked by the file policy.
remaining traffic, including files not blocked by the file policy.
The diagram below illustrates the types of inspection performed on traffic that meets the conditions of
either an Allow or user-bypassed Interactive Block access control rule. For simplicity, the diagram
displays traffic flow for situations where both (or neither) an intrusion and a file policy are associated
with a single access control rule. You can, however, configure one without the other. Without a file
policy, traffic flow is determined by the intrusion policy; without an intrusion policy, traffic flow is
determined by the file policy.
either an Allow or user-bypassed Interactive Block access control rule. For simplicity, the diagram
displays traffic flow for situations where both (or neither) an intrusion and a file policy are associated
with a single access control rule. You can, however, configure one without the other. Without a file
policy, traffic flow is determined by the intrusion policy; without an intrusion policy, traffic flow is
determined by the file policy.
Regardless of whether the traffic is inspected or dropped by an intrusion or file policy, the system can
inspect it using network discovery; see
inspect it using network discovery; see