Cisco Cisco Firepower Management Center 4000
34-14
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
With a Malware license, your managed devices can detect malware in network traffic as part of your
overall access control configuration; see
overall access control configuration; see
.
The following scenarios can lead to generating malware events:
•
If a managed device detects one of a set of specific file types, the Defense Center performs a
malware cloud lookup, which returns a file disposition to the Defense Center of
malware cloud lookup, which returns a file disposition to the Defense Center of
Malware
,
Clean
, or
Unknown
.
•
If the Defense Center cannot establish a connection with the cloud, or the cloud is otherwise
unavailable, the file disposition is
unavailable, the file disposition is
Unavailable
.
•
If the threat score associated with a file exceeds the malware threshold threat score defined in the
file policy that detected the file, the Defense Center assigns a file disposition of
file policy that detected the file, the Defense Center assigns a file disposition of
Malware
to the file.
•
If the managed device detects a file whose SHA-256 value is stored on the custom detection list, the
Defense Center assigns a file disposition of
Defense Center assigns a file disposition of
Custom Detection
to the file.
•
If the managed device detects a file on the clean list, the Defense Center assigns a file disposition
of
of
Clean
to the file.
The Defense Center logs records of files’ detection and dispositions, along with other contextual data,
as malware events.
as malware events.
Note
Files detected in network traffic and identified as malware by the FireSIGHT System generate both a file
event and a malware event. This occurs because to detect malware in a file, the system must first detect
the file itself. For more information, see
event and a malware event. This occurs because to detect malware in a file, the system must first detect
the file itself. For more information, see
.
Retrospective Malware Events
Supported Devices:
Series 3, virtual, X-Series
Supported Defense Centers:
Any except DC500
For malware files detected in network traffic, file dispositions can change. For example, the Cisco cloud
can determine that a file that was previously thought to be clean is now identified as malware, or the
reverse — that a malware-identified file is actually clean.
can determine that a file that was previously thought to be clean is now identified as malware, or the
reverse — that a malware-identified file is actually clean.
The cloud notifies the Defense Center if the file disposition changes for a file for which you performed
a malware lookup in the last week. Then, two things happen:
a malware lookup in the last week. Then, two things happen:
•
The Defense Center generates a new retrospective malware event.
This new retrospective malware event represents a disposition change for all files detected in the last
week that have the same SHA-256 hash value. For that reason, these events contain limited
information: the date and time the Defense Center was notified of the disposition change, the new
disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP
addresses or other contextual information.
week that have the same SHA-256 hash value. For that reason, these events contain limited
information: the date and time the Defense Center was notified of the disposition change, the new
disposition, the SHA-256 hash value of the file, and the threat name. They do not contain IP
addresses or other contextual information.
•
The Defense Center changes the file disposition for previously detected files with the retrospective
event’s associated SHA-256 hash value.
event’s associated SHA-256 hash value.
If a file’s disposition changes to Malware, the Defense Center logs a new malware event to its
database. Except for the new disposition, the information in this new malware event is identical to
that in the file event generated when the file was initially detected.
database. Except for the new disposition, the information in this new malware event is identical to
that in the file event generated when the file was initially detected.
If a file’s disposition changes to Clean, the Defense Center does not remove the malware event from
the malware table. Instead, the event simply reflects the change in disposition. This means that files
with clean dispositions can appear in the malware table, but only if they were originally thought to
be malware. Files that were never identified as malware appear only in the files table.
the malware table. Instead, the event simply reflects the change in disposition. This means that files
with clean dispositions can appear in the malware table, but only if they were originally thought to
be malware. Files that were never identified as malware appear only in the files table.