topic AMP | How to block malware in sourcefire in Endpoint Security

AMP | How to block malware in sourcefire

edwincharles — Sat, 09 Mar 2019 01:47:16 GMT

Hello, we have configured the Antimalware policy to block malware, but when we do a test of antimalware test download from the below site, it gives an option to save the file in internet explorer, the antimalware is not blocking. it should not give an option to save.

Re: AMP | How to block malware in sourcefire

Jetsy Mathew — Wed, 11 Apr 2018 09:38:54 GMT

Hello Edwin

How do you set the policy for the same ? Is it in audit mode or quarantine ? Also please provide the link where you have downloaded the same so that we can try to check the same.

Regards
Jetsy

Re: AMP | How to block malware in sourcefire

edwincharles — Wed, 11 Apr 2018 09:41:35 GMT

set the policy as block malware

http://www.eicar.org/85-0-Download.html

Re: AMP | How to block malware in sourcefire

Jetsy Mathew — Thu, 12 Apr 2018 06:48:23 GMT

Hello Edwin

Just to clarify are you referring to to the AMP endpoints or Network AMP here ?

Regards
Jetsy

Re: AMP | How to block malware in sourcefire

edwincharles — Thu, 12 Apr 2018 06:50:14 GMT

Network AMP

Re: AMP | How to block malware in sourcefire

edwincharles — Sun, 15 Apr 2018 09:42:14 GMT

please find the attached config snaps from FMC for the malware block

Re: AMP | How to block malware in sourcefire

yogdhanu — Mon, 16 Apr 2018 09:46:52 GMT

Hi Edwin,

The rule looks correct. I would suggest to check the connection events first to find which rule the traffic is hitting on the firepower.

Check analysis>events>connections and table view of connections and search for your test client IP.

See if it actually hits the AMPPOLICY rule or no.

If it hits that, then please make sure you download the test malware using http connection and not https.

https require SSL decryption. You can also create a test rule to block something (like URL or IP) to check if it actually works. If its ASA with SFR module, check if the module(service -policy) is configured in inline mode or passive (monitor-only)

Hope it helps,

Yogesh

Re: AMP | How to block malware in sourcefire

edwincharles — Mon, 16 Apr 2018 12:31:32 GMT

the config is inline mode as below

class-map sfr
match access-list sfr_redirect
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
class sfr
sfr fail-open
!

Re: AMP | How to block malware in sourcefire

yogdhanu — Tue, 17 Apr 2018 08:37:06 GMT

Config seems correct from ASA redirection point of view. Please check the firewall-engine-debug from CLI or connection events and find which rule the traffic hits.

Re: AMP | How to block malware in sourcefire

edwincharles — Tue, 17 Apr 2018 09:48:26 GMT

The images shows that, the server antivirus kaspersky is blocking malware, but asa is not blocking

Re: AMP | How to block malware in sourcefire

yogdhanu — Tue, 17 Apr 2018 11:13:44 GMT

I would suggest to open TAC case for further investigation.