Cisco Cisco Firepower Management Center 2000
34-2
FireSIGHT System User Guide
Chapter 34 Analyzing Malware and File Activity
Working with File Storage
Working with File Storage
License:
Malware
Supported Devices:
Any except Series 2
Supported Defense Centers:
Any except DC500
Based on your file policy configuration, you can use the file control feature to detect and block files.
However, files originating from a suspicious host or network, or an excess of files sent to a monitored
host on your network, may require further analysis. The file storage feature allows you to capture
selected files detected in traffic, and automatically store them to a device’s hard drive or, if installed, the
malware storage pack.
However, files originating from a suspicious host or network, or an excess of files sent to a monitored
host on your network, may require further analysis. The file storage feature allows you to capture
selected files detected in traffic, and automatically store them to a device’s hard drive or, if installed, the
malware storage pack.
When a device detects a file in traffic, it can capture that file. This creates a copy the system can either
store or submit for dynamic analysis. After your device captures the files, you have several options:
store or submit for dynamic analysis. After your device captures the files, you have several options:
•
Store captured files on the device’s hard drive for later analysis. See
for more information.
•
Download the stored file to a local computer for further manual analysis or archival purposes. See
for more information.
•
Submit captured files to the Collective Security Intelligence Cloud for dynamic analysis. See
for more information.
Note that once a device stores a file, it will not re-capture it if the file is detected in the future and the
device still has that file stored.
device still has that file stored.
Note
A file detected for the first time ever carries a file disposition of Unavailable, because the system has no
existing information on the file. You cannot configure a file rule with a Malware Cloud Lookup or Block
Malware action to store files with an Unavailable file disposition. The first time the system detects a file,
if the file matches a file rule with a Block Malware action, the subsequent cloud lookup returns a
disposition, and the system can store the file and generate events. However, if a previously undetected
file matches a file rule with a Malware Cloud Lookup action, the system cannot initially store the file.
The cloud lookup returns a disposition; you can review this information in the generated file or malware
event even though the file is not stored. On subsequent detection, the file has a disposition other than
Unavailable, and can be stored if it matches the file rule with the Malware Cloud Lookup action.
existing information on the file. You cannot configure a file rule with a Malware Cloud Lookup or Block
Malware action to store files with an Unavailable file disposition. The first time the system detects a file,
if the file matches a file rule with a Block Malware action, the subsequent cloud lookup returns a
disposition, and the system can store the file and generate events. However, if a previously undetected
file matches a file rule with a Malware Cloud Lookup action, the system cannot initially store the file.
The cloud lookup returns a disposition; you can review this information in the generated file or malware
event even though the file is not stored. On subsequent detection, the file has a disposition other than
Unavailable, and can be stored if it matches the file rule with the Malware Cloud Lookup action.
Whether the system captures or stores a file, you can:
•
Review information about the captured file from the event viewer, including whether the file was
stored or submitted for dynamic analysis, file disposition, and threat score, allowing you to quickly
review possible malware threats detected on your network. See
stored or submitted for dynamic analysis, file disposition, and threat score, allowing you to quickly
review possible malware threats detected on your network. See
for more information.
•
View the file’s trajectory to determine how it traversed your network and which hosts have a copy.
See
See
for more information.
•
Add the file to the clean list or custom detection list to always treat the file as if it had a clean or
malware disposition on future detection. See
malware disposition on future detection. See
for more
information.
You configure file rules in a file policy to capture and store files of a specific type, or with a particular
file disposition, if available. Once you associate the file policy with an access control policy and apply
it to your devices, matching files in traffic are captured and stored. You can also configure the access
control policy to limit the minimum and maximum file sizes to store. See
file disposition, if available. Once you associate the file policy with an access control policy and apply
it to your devices, matching files in traffic are captured and stored. You can also configure the access
control policy to limit the minimum and maximum file sizes to store. See
for more information.