Cisco Cisco Firepower Management Center 4000
33-3
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding Malware Protection and File Control
The system can detect and optionally block malware in many types of files, including PDFs, Microsoft
Office documents, and others. Managed devices monitor specific application protocol-based network
traffic for transmissions of those file types. When a device detects an eligible file, it can send the file’s
SHA-256 hash value to the Defense Center, which then performs a malware cloud lookup using that
information. Based on these results, the Cisco cloud returns a file disposition to the Defense Center.
Office documents, and others. Managed devices monitor specific application protocol-based network
traffic for transmissions of those file types. When a device detects an eligible file, it can send the file’s
SHA-256 hash value to the Defense Center, which then performs a malware cloud lookup using that
information. Based on these results, the Cisco cloud returns a file disposition to the Defense Center.
When the system detects a file in network traffic, the file storage feature allows a device to store an
eligible file to the hard drive or malware storage pack. For executable files with an Unknown disposition,
the device can submit the file for dynamic analysis, regardless of whether the device stores the file. The
cloud returns to the Defense Center:
eligible file to the hard drive or malware storage pack. For executable files with an Unknown disposition,
the device can submit the file for dynamic analysis, regardless of whether the device stores the file. The
cloud returns to the Defense Center:
•
a threat score that describes the likelihood a file contains malware, and
•
a dynamic analysis summary report that details why the cloud assigned the threat score.
If the file is an eligible executable file, the device can also perform a Spero analysis of the file structure
and submit the resulting Spero signature to the cloud. Using this signature to supplement dynamic
analysis, the cloud determines whether the file is malware.
and submit the resulting Spero signature to the cloud. Using this signature to supplement dynamic
analysis, the cloud determines whether the file is malware.
If a file has a disposition in the cloud that you know to be incorrect, you can add the file’s SHA-256 value
to a file list:
to a file list:
•
To treat a file as if the cloud assigned a clean disposition, add the file to the clean list.
•
To treat a file as if the cloud assigned a malware disposition, add the file to the custom detection list.
If the system detects a file’s SHA-256 value on a file list, it takes the appropriate action without
performing a malware lookup or checking the file disposition. Note that you must configure a rule in the
file policy with either a
performing a malware lookup or checking the file disposition. Note that you must configure a rule in the
file policy with either a
Malware Cloud Lookup
or
Block Malware
action and a matching file type to calculate
a file’s SHA value. You can enable use of the clean list or custom detection list on a per-file-policy basis.
For more information on managing file lists, see
For more information on managing file lists, see
To inspect or block files, you must enable a Protection license on the managed devices where you apply
policies. To store files, perform malware cloud lookups on and optionally block malware files, submit
files to the cloud for dynamic analysis, or add files to a file list, you must also enable a Malware license
for those devices.
policies. To store files, perform malware cloud lookups on and optionally block malware files, submit
files to the cloud for dynamic analysis, or add files to a file list, you must also enable a Malware license
for those devices.