topic As far as I can see you have in Network Security

firepower malware file block configuration

tato386 — Sun, 10 Mar 2019 13:51:36 GMT

I have a Firepower running in an ASA which is identifying files as malware but the file is still downloaded and I find it on the local drive of the PC. I have attached snippets of the logs and the file rule. Am I missing anything?

Thanks,

Diego

Have you applied the file

Marvin Rhoads — Thu, 08 Jun 2017 03:08:52 GMT

Have you applied the file policy in the Access Control Policy that affect the PC's location/address?

Could the PC have received the file prior to the policy being in place or while connected outside the protected LAN?

The firepower access policy

tato386 — Thu, 08 Jun 2017 12:13:09 GMT

The firepower access policy has been in effect for this location for several weeks and it is successfully blocking banned URL categories. The firepower logged the IP address and the correct user of the PC. The time, date and size of the file on the PC match the one in the firepower logs. So as far as I can tell the answer to your questions are yes and yes.

As far as I can see you have

Marvin Rhoads — Thu, 08 Jun 2017 13:57:39 GMT

As far as I can see you have everything setup as I would have.

I'd suggest opening a TAC case and having them review the setup in more detail.

10-4, will do. Thanks

tato386 — Thu, 08 Jun 2017 16:46:51 GMT

10-4, will do.

Thanks