Cisco Cisco FirePOWER Appliance 8250
34-13
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Malware Events
Your search results appear in your default malware events workflow, constrained by the current time
range.
range.
•
Click
Save
if you are modifying an existing search and want to save your changes.
•
Click
Save as New Search
to save the search criteria. The search is saved (and associated with your
user account if you selected
Save As Private
).
Working with Malware Events
License:
Malware or Any
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The system logs malware events to the Defense Center database when:
•
a managed device detects a file in network traffic that is then identified as malware by a malware
cloud lookup
cloud lookup
•
a managed device detects a file on the custom detection list in network traffic
•
the system learns that a file’s malware disposition has changed; these are called retrospective
malware events
malware events
•
a FireAMP Connector installed on an endpoint in your organization detects a threat and
communicates that threat to the Cisco cloud
communicates that threat to the Cisco cloud
Because FireAMP malware detection is performed at the endpoint at download or execution time, while
managed devices detect files in network traffic, the information in these malware events is different.
Retrospective malware events also contain slightly different data than other network-based malware
events, or endpoint-based malware events.
managed devices detect files in network traffic, the information in these malware events is different.
Retrospective malware events also contain slightly different data than other network-based malware
events, or endpoint-based malware events.
The following sections briefly describe the different kinds of malware events. For information on the
overall malware detection process, see
overall malware detection process, see
Endpoint-Based (FireAMP) Malware Events
If your organization has a FireAMP subscription, individual users install FireAMP Connectors on their
computers and mobile devices. These lightweight agents communicate with the Cisco cloud, which in
turn communicates with your Defense Center; see
computers and mobile devices. These lightweight agents communicate with the Cisco cloud, which in
turn communicates with your Defense Center; see
. The cloud can send notification of threats, as well other kinds of information including data
on scans, quarantines, blocked executions, and cloud recalls. The Defense Center logs this information
to its database as malware events.
to its database as malware events.
Note
The IP addresses reported in endpoint-based malware events may not be in your network map—and may
not even be in your monitored network at all. Depending on your deployment, level of compliance, and
other factors, endpoints in your organization where FireAMP Connectors are installed may not be the
same hosts as those monitored by your managed devices.
not even be in your monitored network at all. Depending on your deployment, level of compliance, and
other factors, endpoints in your organization where FireAMP Connectors are installed may not be the
same hosts as those monitored by your managed devices.
Malware Events Based on Network Traffic
Supported Devices:
Series 3, virtual, X-Series
Supported Defense Centers:
Any except DC500