Cisco Cisco Firepower Management Center 4000
33-6
FireSIGHT System User Guide
Chapter 33 Blocking Malware and Prohibited Files
Understanding Malware Protection and File Control
rules, see
.
Because you cannot use a Malware license with a DC500, you cannot use that appliance to apply file
policies that perform network-based malware protection. Similarly, because you cannot enable a
Malware license on a Series 2 device, you cannot apply a file policy to those appliances that performs
network-based malware protection.
policies that perform network-based malware protection. Similarly, because you cannot enable a
Malware license on a Series 2 device, you cannot apply a file policy to those appliances that performs
network-based malware protection.
Logging Events Based on Malware Protection and File Control
License:
Protection or Malware
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
The Defense Center logs records of the system’s file inspection and handling as captured files, file
events, and malware events:
events, and malware events:
•
Captured files represent files that the system captured.
•
File events represent files that the system detected, and optionally blocked, in network traffic.
•
Malware events represent malware files detected, and optionally blocked, in network traffic by the
system.
system.
•
Retrospective malware events represent files whose malware file dispositions have changed.
When the system generates a malware event based on detection or blocking of malware in network
traffic, it also generates a file event, because to detect malware in a file the system must first detect the
file itself. Note that endpoint-based malware events generated by FireAMP Connectors (see
traffic, it also generates a file event, because to detect malware in a file the system must first detect the
file itself. Note that endpoint-based malware events generated by FireAMP Connectors (see
) do not have corresponding file events. Similarly, when
the system captures a file in network traffic, it also generates a file event because the system first detected
the file.
the file.
You can use the Defense Center to view, manipulate, and analyze captured files, file events, and malware
events, then communicate your analysis to others. The Context Explorer, dashboards, event viewer,
network file trajectory map, and reporting features can give you a deeper understanding of the files and
malware detected, captured, and blocked. You can also use events to trigger correlation policy violations,
or alert you via email, SMTP, or syslog. For detailed information on file and malware events, see
events, then communicate your analysis to others. The Context Explorer, dashboards, event viewer,
network file trajectory map, and reporting features can give you a deeper understanding of the files and
malware detected, captured, and blocked. You can also use events to trigger correlation policy violations,
or alert you via email, SMTP, or syslog. For detailed information on file and malware events, see
and
.
Because you cannot use a Malware license with a DC500, nor can you enable a Malware license on a
Series 2 device, you cannot use those appliances to generate or analyze captured files, file events, and
malware events associated with malware cloud lookups.
Series 2 device, you cannot use those appliances to generate or analyze captured files, file events, and
malware events associated with malware cloud lookups.
Integrating FireAMP with the FireSIGHT System
License:
Any
FireAMP is Cisco’s enterprise-class advanced malware analysis and protection solution that discovers,
understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.
understands, and blocks advanced malware outbreaks, advanced persistent threats, and targeted attacks.
If your organization has a FireAMP subscription, individual users install FireAMP Connectors on
endpoints: computers and mobile devices. A FireAMP Connector is a lightweight agent that, among
other capabilities, can inspect files upon upload, download, execution, open, copy, move, and so on.
These connectors communicate with the Cisco cloud to determine if inspected files contain malware.
endpoints: computers and mobile devices. A FireAMP Connector is a lightweight agent that, among
other capabilities, can inspect files upon upload, download, execution, open, copy, move, and so on.
These connectors communicate with the Cisco cloud to determine if inspected files contain malware.