Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Firepower Management Center 4000

Cisco Cisco Firepower Management Center 4000

Download
Page of 1844
 
33-13
FireSIGHT System User Guide
 
Chapter 33      Blocking Malware and Prohibited Files
  Understanding and Creating File Policies
File Rule Actions and Evaluation Order
Each file rule has an associated action that determines how the system handles traffic that matches the 
conditions of the rule. You can set separate rules within a file policy to take different actions for different 
file types, application protocols, or directions of transfer. The rule actions are as follows, in rule-action 
order:
  •
Block Files rules allow you to block specific file types.
  •
Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, then use 
a cloud lookup process to first determine if files traversing your network contain malware, then 
block files that represent threats.
  •
Malware Cloud Lookup rules allow you to log the malware disposition of files traversing your 
network based on a cloud lookup, while still allowing their transmission.
  •
Detect Files rules allow you to log the detection of specific file types to the database, while still 
allowing their transmission.
For each file rule action, you can configure options to reset the connection when a file transfer is blocked, 
store captured files to the managed device, and submit captured files to the cloud for dynamic and Spero 
analysis. The following table details the options available to each file action.
File and Malware Detection, Capture, and Blocking Notes and Limitations
Note the following details and limitations on file and malware detection, capture, and blocking behavior:
  •
If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be 
blocked by a 
Block Malware
 rule or the custom detection list. The system waits to block the file until 
the entire file has been received, as indicated by the end-of-file marker, and blocks the file when the 
marker is detected.
  •
If the end-of-file marker for an FTP file transfer is transmitted separately from the final data 
segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but 
the file will actually completely transfer to disk.
  •
If the traffic from an FTP data session and its control session are not load-balanced to the same 
Snort, files in that FTP session may not be blocked by file rules with 
Block Files
 or 
Block Malware
 
actions or by the custom detection list. File events should be generated for the session. 
Table 33-5
File Rule Actions 
Action
Resets Connection?
Stores Files?
Dynamic Analysis?
Spero Analysis for 
MSEXE?
Block Files
yes (recommended)
yes, you can store all 
matching file types
no
no
Block Malware
yes (recommended)
yes, you can store file 
types matching the file 
dispositions you select
yes, you can submit 
executable files with 
unknown file 
dispositions
yes, you can submit 
executable files
Detect Files
no
yes, you can store all 
matching file types
no
no
Malware Cloud 
Lookup
no
yes, you can store file 
types matching the file 
dispositions you select
yes, you can submit 
executable files with 
unknown file 
dispositions
yes, you can submit 
executable files