Cisco Cisco Firepower Management Center 4000 Notas de publicación
Version 5.2.0.1
Sourcefire 3D System Release Notes
30
Features Introduced in Previous Versions
Malware Blocking
The Sourcefire 3D System network-based advanced malware detection
capabilities added in Version 5.1.1 identifies individual files as they enter your
network, creates a fingerprint of each file, checks the fingerprint against the
Sourcefire cloud to determine the disposition of the file, and alerts you to files
identified as malware.
With the addition of malware blocking in Version 5.2, the Sourcefire 3D System
With the addition of malware blocking in Version 5.2, the Sourcefire 3D System
now provides advanced malware protection (AMP). You can now configure file
policies to block transfer of known malware files.
Based on the disposition of each detected file and the rules you set in your file
Based on the disposition of each detected file and the rules you set in your file
policies, the Defense Center instructs a managed device either to block the file or
to allow its upload or download. To improve performance, if the system already
knows the disposition for a file based on its SHA-256 hash value, the Defense
Center uses a cached disposition rather than querying the Sourcefire cloud.
If necessary, you can override dispositions from the cloud on a file-by-file basis
If necessary, you can override dispositions from the cloud on a file-by-file basis
with the global malware whitelist. If a file has a disposition in the cloud that you
know to be incorrect, you can add the file’s SHA-256 value to the whitelist. When
the system detects a file from the whitelist, it does not perform a malware lookup
or block the file as malware. You can enable use of the global malware whitelist
on a per-file-policy basis.
Several analysis tools let you track AMP events, including the Context Explorer,
Several analysis tools let you track AMP events, including the Context Explorer,
the dashboard, the event views, and the network file trajectory view. Connection,
file, and malware events all reflect when a file is blocked because of malware.
You can perform AMP, which requires Protection and Malware licenses, using any
You can perform AMP, which requires Protection and Malware licenses, using any
Series 3 managed device or virtual device. You can manage an AMP deployment
using any Series 3 or Series 2 Defense Center, except a DC500.
Network File Trajectory
The network file trajectory feature provides a visual, interactive representation of
the path an infected file takes across your network, to help you understand the
broader impact, context, and spread of malware across the network and
endpoints. This view depicts point of entry, propagation, protocols used, and the
users or endpoints involved in the transfer. You can use the map to determine
which hosts may have transferred malware or are at risk and to observe file
transfer trends.
File trajectory information provides standard information about the file (the file
File trajectory information provides standard information about the file (the file
name, type, disposition, actions taken by the system, and so on) as well as when
it was first and last seen, the number of hosts associated with the file, and the
name of any associated threats. The trajectory of a file through your network is
illustrated in visual form on the File Trajectory page. You can access the File
Trajectory page directly (Analysis > Files > Network File Trajectory) or from the
Context Explorer, dashboard, or event views of connection, file, or malware
events.