topic Access Control Policy is the in Network Security

Sourcefire File Malware Lookup Bypass

mvollersf — Tue, 12 Mar 2019 12:36:05 GMT

I am currently looking for a way to exlude IP's from the Malware File lookup on a perimeter 3D sensor but am not having much luck.

For example, there are Windows patches and other trusted file deployment events that go through the sensor to multiple systems and it is causing a large number of file lookup events (from the malware protection license functionality). I have tried adding a rule in the Access Control policy that is src the patch server and dst any allow with either a blank file lookup policy defined in the rule, or it set to "none". However the systems are still generating large numbers of file lookup events.

Anyone had any luck with this?

Access Control Policy is the

atatistc — Fri, 12 Dec 2014 21:45:40 GMT

Access Control Policy is the way to do it. What you described should work, there is likely some issue with the rules - either the rule criteria or the rule order - that is causing this.

Thanks atatistc, I was silly

mvollersf — Thu, 08 Jan 2015 21:46:44 GMT

Thanks atatistc, I was silly and put the location being downloaded from as src in the AC rule, but connection events showed its a pull function initiated from the clients, after correcting that it seems to be working as expected.