FTD Malware File Policy

iwearing · ‎01-18-2018

Hi,

I have created a malware file policy to block malware for PDF & Executables.

When I attach the malware file policy to my Access Control Policy acl I receive a warning " Configured Ports will prevent the file policy from being triggered"

The acl has a destination port of UDP-6064.

I have no issues when applying the malware policy to acls with destination TCP ports.

Any help would be appreciated.

thanks

Ian

David Janulik · ‎01-19-2018

Hello,

I am not sure, what do you mean with policy to block all PDF and executables.

If we get to the AMP console, you can blacklist a specific file SHA. You can block network connection e.g. specific ports, CIDR IP block or specifig IP address.

Did you try any of these?

Outbreak control > Custom detections
Outbreak control > Application blocking
Outbreak control > Network > IP blacklist

Regards

David

Cyber security escalation engineer

iwearing · ‎01-19-2018

Hello David,

Please see the attachment of an example Malware File Policy created on FMC. I should have referenced Executables and PDF as the file type category.

When I attach the Malware File Policy to the Access Control Policy I then receive warnings " configured ports will prevent the file policy from being triggered".

regards

Ian

jcorrea1 · ‎10-26-2018

Hi, I found this message is show when you use UDP and ICMP as destination ports. That's because this policy only applies in TCP ports.