Cisco Cisco Firepower Management Center 4000
34-10
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Events
Disposition
One of the following file dispositions:
•
Malware
indicates that the cloud categorized the file as malware, or that the file’s
threat score exceeded the malware threshold defined in the file policy.
•
Clean
indicates that the cloud categorized the file as clean, or that a user added the
file to the clean list.
•
Unknown
indicates that a malware cloud lookup occurred before the cloud assigned
a disposition. The file is uncategorized.
•
Custom Detection
indicates that a user added the file to the custom detection list.
•
Unavailable
indicates that the Defense Center could not perform a malware cloud
lookup.
•
N/A
indicates a Detect Files or Block Files rule handled the file and the Defense
Center did not perform a malware cloud lookup.
SHA256
The SHA-256 hash value of the file, as well as a network file trajectory icon representing
the most recently detected file event and file disposition, if this file was detected as the
result of:
the most recently detected file event and file disposition, if this file was detected as the
result of:
•
a Detect Files file rule with
Store Files
enabled
•
a Block Files file rule with
Store Files
enabled
•
a Malware Cloud Lookup file rule
•
a Block Malware file rule
To view the network file trajectory, click the trajectory icon. For more information, see
.
Threat Score
The threat score most recently associated with this file:
•
Low
(
)
•
Medium
(
)
•
High
(
)
•
Very High
(
)
To view the Dynamic Analysis Summary report, click the threat score icon.
Type
The type of file, for example,
HTML
or
MSEXE
.
Category
The general categories of file type, for example:
Office Documents
,
Archive
,
Multimedia
,
Executables
,
PDF files
,
Encoded
,
Graphics
, or
System Files
.
Size (KB)
The size of the file, in kilobytes. Note that if the system determines the file type of a file
before the file is fully received, the file size may not be calculated and this field is blank.
before the file is fully received, the file size may not be calculated and this field is blank.
URI
The originating URI of the file, for example, the URL where a user downloaded it.
Application Protocol
The application protocol used by the traffic in which a managed device detected the file.
Application Protocol, Client, or
Web Application Category or Tag
Web Application Category or Tag
Criteria that characterize the application to help you understand the application's
function. For more information, see the
function. For more information, see the
table.
Client
The client application used in the connection to transmit a file.
Web Application
For files transmitted using HTTP, the web application (content or requested URL)
detected in the connection and used to transmit the file.
detected in the connection and used to transmit the file.
Table 34-2
File Event Fields (continued)
Field
Description