Cisco Cisco Firepower Management Center 4000
33-13
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
File Rule Actions and Evaluation Order
Each file rule has an associated action that determines how the system handles traffic that matches the
conditions of the rule. You can set separate rules within a file policy to take different actions for different
file types, application protocols, or directions of transfer. The rule actions are as follows, in rule-action
order:
conditions of the rule. You can set separate rules within a file policy to take different actions for different
file types, application protocols, or directions of transfer. The rule actions are as follows, in rule-action
order:
•
Block Files rules allow you to block specific file types.
•
Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, then use
a cloud lookup process to first determine if files traversing your network contain malware, then
block files that represent threats.
a cloud lookup process to first determine if files traversing your network contain malware, then
block files that represent threats.
•
Malware Cloud Lookup rules allow you to log the malware disposition of files traversing your
network based on a cloud lookup, while still allowing their transmission.
network based on a cloud lookup, while still allowing their transmission.
•
Detect Files rules allow you to log the detection of specific file types to the database, while still
allowing their transmission.
allowing their transmission.
For each file rule action, you can configure options to reset the connection when a file transfer is blocked,
store captured files to the managed device, and submit captured files to the cloud for dynamic and Spero
analysis. The following table details the options available to each file action.
store captured files to the managed device, and submit captured files to the cloud for dynamic and Spero
analysis. The following table details the options available to each file action.
File and Malware Detection, Capture, and Blocking Notes and Limitations
Note the following details and limitations on file and malware detection, capture, and blocking behavior:
•
If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be
blocked by a
blocked by a
Block Malware
rule or the custom detection list. The system waits to block the file until
the entire file has been received, as indicated by the end-of-file marker, and blocks the file when the
marker is detected.
marker is detected.
•
If the end-of-file marker for an FTP file transfer is transmitted separately from the final data
segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but
the file will actually completely transfer to disk.
segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but
the file will actually completely transfer to disk.
•
If the traffic from an FTP data session and its control session are not load-balanced to the same
Snort, files in that FTP session may not be blocked by file rules with
Snort, files in that FTP session may not be blocked by file rules with
Block Files
or
Block Malware
actions or by the custom detection list. File events should be generated for the session.
Table 33-5
File Rule Actions
Action
Resets Connection?
Stores Files?
Dynamic Analysis?
Spero Analysis for
MSEXE?
MSEXE?
Block Files
yes (recommended)
yes, you can store all
matching file types
matching file types
no
no
Block Malware
yes (recommended)
yes, you can store file
types matching the file
dispositions you select
types matching the file
dispositions you select
yes, you can submit
executable files with
unknown file
dispositions
executable files with
unknown file
dispositions
yes, you can submit
executable files
executable files
Detect Files
no
yes, you can store all
matching file types
matching file types
no
no
Malware Cloud
Lookup
Lookup
no
yes, you can store file
types matching the file
dispositions you select
types matching the file
dispositions you select
yes, you can submit
executable files with
unknown file
dispositions
executable files with
unknown file
dispositions
yes, you can submit
executable files
executable files