Cisco Cisco Firepower Management Center 4000

Page of 1844
 
33-14
FireSIGHT System User Guide
 
Chapter 33      Blocking Malware and Prohibited Files 
  Understanding and Creating File Policies
  •
For an access control policy using a file policy with 
Block Malware
 rules for FTP, if you set the 
default action to an intrusion policy with 
Drop when Inline
 disabled, the system generates events for 
detected files or malware matching the rules, but does not drop the files. To block FTP fire transfers 
and use an intrusion policy as the default action for the access control policy where you select the 
file policy, you must select an intrusion policy with 
Drop when Inline
 enabled.
  •
File rules with 
Block Files
 and 
Block Malware
 actions block automatic resumption of file download 
via HTTP by blocking new sessions with the same file, URL, server, and client application detected 
for 24 hours after the initial file transfer attempt occurs.
  •
In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble 
the traffic correctly and therefore will not block it or generate a file event. 
  •
If you transfer a file over NetBios-ssn (such as an SMB file transfer) that is blocked with a 
Block 
Files
 rule, you may see a file on the destination host. However, the file is unusable because it is 
blocked after the download starts, resulting in an incomplete file transfer.
  •
If you create file rules to detect or block files transferred over NetBios-ssn (such as an SMB file 
transfer), the system does not inspect files transferred in an established TCP or SMB session started 
before you apply an access control policy invoking the file policy so those files will not be detected 
or blocked.
  •
If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session 
exceeds 1024, file events from the session may not reflect the correct file names for files that were 
detected after the file name buffer filled. 
  •
If Mac or Linux-based hosts upload text-based files using Mozilla Thunderbird over SMTP, or 
download text-based files over IMAP or POP, and a file rule captures the file, the captured file size 
may be different than the actual file size. Mac-based hosts use the CR newline character; 
Linux-based hosts use the LF newline character. Thunderbird replaces CR and LF in text-based files 
with the CRLF newline character.
  •
Cisco recommends that you enable 
Reset Connection
 for the 
Block Files
 and 
Block Malware
 actions to 
prevent blocked application sessions from remaining open until the TCP connection resets. If you 
do not reset connections, the client session will remain open until the TCP connection resets itself.
  •
If a file rule is configured with a 
Malware Cloud Lookup
 or 
Block Malware
 action and the Defense 
Center cannot establish connectivity with the cloud, the system cannot perform any configured rule 
action options until cloud connectivity is restored.
  •
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured 
files for dynamic analysis. Doing so can negatively impact system performance. 
File Rule Evaluation Example
Unlike in access control policies, where rules are evaluated in numerical order, file policies handle files 
in 
. That is, simple blocking takes precedence over 
malware inspection and blocking, which takes precedence over simple detection and logging. As an 
example, consider four rules that handle PDF files in a single file policy. Regardless of the order in which 
they appear in the web interface, these rules are evaluated in the following order: