Cisco Cisco Firepower Management Center 4000
33-14
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
•
For an access control policy using a file policy with
Block Malware
rules for FTP, if you set the
default action to an intrusion policy with
Drop when Inline
disabled, the system generates events for
detected files or malware matching the rules, but does not drop the files. To block FTP fire transfers
and use an intrusion policy as the default action for the access control policy where you select the
file policy, you must select an intrusion policy with
and use an intrusion policy as the default action for the access control policy where you select the
file policy, you must select an intrusion policy with
Drop when Inline
enabled.
•
File rules with
Block Files
and
Block Malware
actions block automatic resumption of file download
via HTTP by blocking new sessions with the same file, URL, server, and client application detected
for 24 hours after the initial file transfer attempt occurs.
for 24 hours after the initial file transfer attempt occurs.
•
In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble
the traffic correctly and therefore will not block it or generate a file event.
the traffic correctly and therefore will not block it or generate a file event.
•
If you transfer a file over NetBios-ssn (such as an SMB file transfer) that is blocked with a
Block
Files
rule, you may see a file on the destination host. However, the file is unusable because it is
blocked after the download starts, resulting in an incomplete file transfer.
•
If you create file rules to detect or block files transferred over NetBios-ssn (such as an SMB file
transfer), the system does not inspect files transferred in an established TCP or SMB session started
before you apply an access control policy invoking the file policy so those files will not be detected
or blocked.
transfer), the system does not inspect files transferred in an established TCP or SMB session started
before you apply an access control policy invoking the file policy so those files will not be detected
or blocked.
•
If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session
exceeds 1024, file events from the session may not reflect the correct file names for files that were
detected after the file name buffer filled.
exceeds 1024, file events from the session may not reflect the correct file names for files that were
detected after the file name buffer filled.
•
If Mac or Linux-based hosts upload text-based files using Mozilla Thunderbird over SMTP, or
download text-based files over IMAP or POP, and a file rule captures the file, the captured file size
may be different than the actual file size. Mac-based hosts use the CR newline character;
Linux-based hosts use the LF newline character. Thunderbird replaces CR and LF in text-based files
with the CRLF newline character.
download text-based files over IMAP or POP, and a file rule captures the file, the captured file size
may be different than the actual file size. Mac-based hosts use the CR newline character;
Linux-based hosts use the LF newline character. Thunderbird replaces CR and LF in text-based files
with the CRLF newline character.
•
Cisco recommends that you enable
Reset Connection
for the
Block Files
and
Block Malware
actions to
prevent blocked application sessions from remaining open until the TCP connection resets. If you
do not reset connections, the client session will remain open until the TCP connection resets itself.
do not reset connections, the client session will remain open until the TCP connection resets itself.
•
If a file rule is configured with a
Malware Cloud Lookup
or
Block Malware
action and the Defense
Center cannot establish connectivity with the cloud, the system cannot perform any configured rule
action options until cloud connectivity is restored.
action options until cloud connectivity is restored.
•
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured
files for dynamic analysis. Doing so can negatively impact system performance.
files for dynamic analysis. Doing so can negatively impact system performance.
File Rule Evaluation Example
Unlike in access control policies, where rules are evaluated in numerical order, file policies handle files
in
in
. That is, simple blocking takes precedence over
malware inspection and blocking, which takes precedence over simple detection and logging. As an
example, consider four rules that handle PDF files in a single file policy. Regardless of the order in which
they appear in the web interface, these rules are evaluated in the following order:
example, consider four rules that handle PDF files in a single file policy. Regardless of the order in which
they appear in the web interface, these rules are evaluated in the following order: