Cisco Cisco Firepower Management Center 4000
33-16
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding and Creating File Policies
•
The
Files
field contains an icon (
) that indicates the number of files (including malware files)
detected in the connection; click the icon to see a list of those files and, for malware files, their file
dispositions.
dispositions.
•
The
Reason
field indicates the reason the connection event was logged, which depends on the file
rule action:
•
File Monitor
for Detect Files and Malware Cloud Lookup file rules and for files on the clean list
•
File Block
for Block Files or Block Malware file rules
•
File Custom Detection
if the system encountered a file on the custom detection list
•
File Resume Allow
where file transmission was originally blocked by a Block Files or Block
Malware file rule. After a new access control policy was applied that allowed the file, the HTTP
session automatically resumed.
session automatically resumed.
•
File Resume Block
where file transmission was originally allowed by a Detect Files or Malware
Cloud Lookup file rule. After a new access control policy was applied that blocked the file, the
HTTP session automatically stopped.
HTTP session automatically stopped.
•
For connections where a file or malware was blocked, the
Action
is
Block.
As with any kind of event generated by the FireSIGHT System, you can view, manipulate, and analyze
file and malware events using the Defense Center’s web interface. You can also use malware events to
trigger correlation policy violations, or alert you via email, SMTP, or syslog.
file and malware events using the Defense Center’s web interface. You can also use malware events to
trigger correlation policy violations, or alert you via email, SMTP, or syslog.
Note
The Defense Center can also receive malware events using your organization’s FireAMP subscription.
Because these malware events are generated on endpoints at download or execution time, their
information is different from that in network-based malware events.
Because these malware events are generated on endpoints at download or execution time, their
information is different from that in network-based malware events.
For more information on connection, file, and malware events, as well as additional details on how they
are logged, see:
are logged, see:
•
•
•
•
Internet Access and High Availability
The system uses port 443 to perform malware cloud lookups for network-based AMP. You must open
that port outbound on the Defense Center.
that port outbound on the Defense Center.
Although they share file policies and related configurations, Defense Centers in a high availability pair
share neither cloud connections nor captured files, file events, and malware events. To ensure continuity
of operations, and to ensure that detected files’ malware dispositions are the same on both Defense
Centers, both primary and secondary Defense Centers must have access to the cloud.
share neither cloud connections nor captured files, file events, and malware events. To ensure continuity
of operations, and to ensure that detected files’ malware dispositions are the same on both Defense
Centers, both primary and secondary Defense Centers must have access to the cloud.
To submit files to the cloud for dynamic analysis, you must also open port 443 outbound on the device.
Managing File Policies
You create, edit, delete, and compare file policies on the File Policies page (
Policies > Files
), which
displays a list of existing file policies along with their last-modified dates.