Cisco Cisco Firepower Management Center 4000
33-15
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
The Defense Center uses warning icons (
) to designate conflicting file rules. For details, hover your
pointer over a warning icon.
Note that you cannot perform malware analysis on all file types detected by the system. After you select
values from the
values from the
Application Protocol
,
Direction of Transfer
, and
Action
drop-down lists, the system constrains
the list of file types.
Note that because you cannot use a Malware license with a DC500, you cannot create file rules that use
the Block Malware or Malware Cloud Lookup action or use that appliance to apply file policies that
contain rules with those actions. Similarly, because you cannot enable a Malware license on a Series 2
device, you cannot apply a file policy containing rules with those actions to those appliances.
the Block Malware or Malware Cloud Lookup action or use that appliance to apply file policies that
contain rules with those actions. Similarly, because you cannot enable a Malware license on a Series 2
device, you cannot apply a file policy containing rules with those actions to those appliances.
Logging Captured Files, File Events, Malware Events and Alerts
When you associate a file policy with an access control rule, the system automatically enables file and
malware event logging for matching traffic. If the file policy is configured to capture and store files, the
system also automatically enables captured file logging when a file is captured. When the system
inspects a file, it can generate the following types of events:
malware event logging for matching traffic. If the file policy is configured to capture and store files, the
system also automatically enables captured file logging when a file is captured. When the system
inspects a file, it can generate the following types of events:
•
file events, which represent detected or blocked files, and detected malware files
•
malware events, which represent detected malware files
•
retrospective malware events, which are generated when the Malware file disposition for a
previously detected file changes
previously detected file changes
When a file policy generates a file or malware event, or captures a file, the system automatically logs the
end of the associated connection to the Defense Center database, regardless of the logging configuration
of the invoking access control rule.
end of the associated connection to the Defense Center database, regardless of the logging configuration
of the invoking access control rule.
Note
File events generated by inspecting NetBIOS-ssn (SMB) traffic do not immediately generate connection
events because the client and server establish a persistent connection. The system generates connection
events after the client or server ends the session.
events because the client and server establish a persistent connection. The system generates connection
events after the client or server ends the session.
For each of these connection events:
Table 33-6
File Rule Evaluation Order Example
App. Protocol
Direction
Action
Action Options
Result
SMTP
Upload
Block Files
Reset Connection
Blocks users from emailing PDF files and
resets the connection.
resets the connection.
FTP
Download
Block
Malware
Malware
Store Files with Unknown
Disposition, Reset
Connection
Disposition, Reset
Connection
Blocks the download of malware PDF
files via file transfer, stores files with an
Unknown file disposition to the device,
and resets the connection.
files via file transfer, stores files with an
Unknown file disposition to the device,
and resets the connection.
POP3, IMAP
Download
Malware
Cloud Lookup
Cloud Lookup
Store Files with Unknown
Disposition, Dynamic
Analysis
Disposition, Dynamic
Analysis
Inspects PDF files received via email for
malware, and stores files with an
Unknown file disposition to the device.
Submits the files to the Cisco cloud for
dynamic analysis.
malware, and stores files with an
Unknown file disposition to the device.
Submits the files to the Cisco cloud for
dynamic analysis.
Any
Any
Detect Files
none
Detects and logs, but allows the traffic,
when users view PDF files on the web
(that is, via HTTP).
when users view PDF files on the web
(that is, via HTTP).