Cisco Cisco FirePOWER Appliance 7010
34-5
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with Dynamic Analysis
Note
The system checks the cloud for updates to the list of file types eligible for dynamic analysis and the
minimum and maximum file sizes you can submit (no more than once a day).
minimum and maximum file sizes you can submit (no more than once a day).
The cloud performs dynamic analysis by running the file in a sandbox environment. It returns:
•
a threat score, which details the likelihood a file contains malware.
•
a dynamic analysis summary report, which details why the cloud assigned the threat score.
Based on the file policy configuration, you can automatically block files whose threat score falls above
a defined threshold. You can also review the dynamic analysis summary report to better identify malware
and fine-tune your detection capabilities.
a defined threshold. You can also review the dynamic analysis summary report to better identify malware
and fine-tune your detection capabilities.
To supplement dynamic analysis, if a file rule performs a malware cloud lookup on an executable file,
you can automatically submit the file for Spero analysis. The cloud examines the executable file’s
structure, including metadata and header information, and can identify files as malware. See
you can automatically submit the file for Spero analysis. The cloud examines the executable file’s
structure, including metadata and header information, and can identify files as malware. See
for more information.
Dynamic and Spero analysis require a device running Version 5.3 or later and a Malware license. Note
that because you cannot use a Malware license with a DC500, nor can you enable a Malware license on
a Series 2 device, you cannot use those appliances to submit files for dynamic analysis or Spero analysis.
that because you cannot use a Malware license with a DC500, nor can you enable a Malware license on
a Series 2 device, you cannot use those appliances to submit files for dynamic analysis or Spero analysis.
Note
You can configure your managed devices to submit files to the Cisco cloud via HTTP proxy. To configure
physical appliances, see
physical appliances, see
for more information. To configure
virtual appliances, see
. Sourcefire Software for X-Series does not support proxy
settings.
For more information, see:
•
•
•
Understanding Spero Analysis
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
Spero analysis supplements analysis of SHA-256 hashes, allowing for more complete identification of
malware in executable files. Spero analysis involves the device examining file structural characteristics
such as metadata and header information. After generating a Spero signature based on this information,
the device submits it to the Spero heuristic engine in the Cisco cloud. Based on the Spero signature, the
Spero engine returns whether the file is malware. If so, and the file currently has an unknown file
disposition, the system assigns a Malware file disposition. For more information on file dispositions, see
malware in executable files. Spero analysis involves the device examining file structural characteristics
such as metadata and header information. After generating a Spero signature based on this information,
the device submits it to the Spero heuristic engine in the Cisco cloud. Based on the Spero signature, the
Spero engine returns whether the file is malware. If so, and the file currently has an unknown file
disposition, the system assigns a Malware file disposition. For more information on file dispositions, see
.
Note that you can only submit executable files for Spero analysis upon detection; you cannot manually
submit them later. You can submit the file for Spero analysis without also submitting it for dynamic
analysis. For more information, see
submit them later. You can submit the file for Spero analysis without also submitting it for dynamic
analysis. For more information, see
.