Cisco Cisco Firepower Management Center 4000

33-20

FireSIGHT System User Guide

Chapter 33 Blocking Malware and Prohibited Files

Understanding and Creating File Policies

Step 9

Click

Save

The file rule is added to the policy. If you are editing an existing file policy, you must reapply any access
control policies that use the file policy for your changes to take effect.

Configuring Advanced File Policy Options

License:

Malware

Supported Devices:

feature dependent

Supported Defense Centers:

feature dependent

In a file policy, you can set the following advanced options.

Note that because you cannot use a Malware license with a DC500, you cannot use or modify these
settings. Similarly, because you cannot enable a Malware license on a Series 2 device, you cannot apply
a file policy with these settings enabled.

To configure advanced file policy options:

Access:

Admin/Access Admin

Step 1

Select

Policies > Files

The File Policies page appears.

Step 2

Click the edit icon (

) next to the policy you want to edit.

The File Policy Rule page appears.

Step 3

Select the

Advanced

tab.

The Advanced tab appears.

Step 4

Modify the options as described in the

Advanced File Policy Options

table.

Step 5

Click

Save

Table 33-7

Advanced File Policy Options

Field

Description

Default Value

Enable Custom Detection List

Select this to block files on the custom detection list when
detected.

enabled

Enable Clean List

Select this to allow files on the clean list when detected.

enabled

Mark files as malware based on dynamic
analysis threat score

Select a threshold value to automatically treat files with that threat
score or higher as if they are malware. Select

Disabled

to disable

this.

Note that as you select lower threshold values, you increase the
number of files treated as malware. Depending on the action
selected in your file policy, this can result in an increase of
blocked files.

Very High (76 and
above)