Cisco Cisco Firepower Management Center 4000
34-6
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Dynamic Analysis
Submitting Files for Dynamic Analysis
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
From the event viewer context menu or network file trajectory, you can manually submit a file for
dynamic analysis. In addition to executable files, you can also submit file types not eligible for automatic
submission, such as PDFs, Microsoft Office documents, and others. See
dynamic analysis. In addition to executable files, you can also submit file types not eligible for automatic
submission, such as PDFs, Microsoft Office documents, and others. See
and
for more information.
To analyze multiple files after an incident, regardless of file disposition, you can manually submit up to
25 files (of specific types) at a time from the captured file view. This allows you to more quickly analyze
a broad range of files and pinpoint the exact causes of the incident. For more information, see
25 files (of specific types) at a time from the captured file view. This allows you to more quickly analyze
a broad range of files and pinpoint the exact causes of the incident. For more information, see
and
Reviewing the Threat Score and Dynamic Analysis Summary
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
After you submit a file for dynamic analysis, the Cisco cloud analyzes a file’s signatures and returns both
a threat score and a dynamic analysis summary. These can help you more closely analyze potential
malware threats and fine tune your detection strategy.
a threat score and a dynamic analysis summary. These can help you more closely analyze potential
malware threats and fine tune your detection strategy.
Threat Scores
Files fall into one of four threat score ratings that correspond with the likelihood the file is malicious:
The Defense Center caches a file’s threat score locally for the same amount of time as the file’s
disposition. If the system later detects these files, it displays the cached threat scores to the user instead
of again querying the Cisco cloud. Based on your file policy configuration, you can automatically assign
a malware file disposition to any file with a threat score that exceeds the defined malware threshold
threat score. For more information, see
disposition. If the system later detects these files, it displays the cached threat scores to the user instead
of again querying the Cisco cloud. Based on your file policy configuration, you can automatically assign
a malware file disposition to any file with a threat score that exceeds the defined malware threshold
threat score. For more information, see
.
Dynamic Analysis Summary
If a dynamic analysis summary is available, you can click the threat score icon to view it. The dynamic
analysis summary describes the various component ratings that comprise the overall threat score
assigned by the Vulnerability Research Team (VRT) file analysis, as well as other processes started when
the cloud attempted to run the file.
analysis summary describes the various component ratings that comprise the overall threat score
assigned by the Vulnerability Research Team (VRT) file analysis, as well as other processes started when
the cloud attempted to run the file.
Table 34-1
Threat Score Ratings
Threat Score
Icon
Rating
Low
1-25
Medium
26-50
High
51-75
Very High
76-100