Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4699
Views
30
Helpful
3
Replies

AMP feature key for ESA

jwharrison
Level 1
Level 1

‎09-02-2014 08:18 AM

Can someone please provide me with the part number for ordering a feature key for the new Advanced Malware Protection module?  This feature enhancement is included in the Async OS upgrate to 8.5.6.

Labels:
0 Helpful
3 Replies 3

Robert Sherwin
Cisco Employee
Cisco Employee

‎09-02-2014 09:49 AM

Demo:
ESA-ESP-AMP-45D=: Email Premium Software Bundle with AMP (Anti-Spam, Anti-Virus, Outbreak Filter, Encryption, Data Loss Prevention, AMP Anti-Malware Protection)
ESA-ESI-AMP-45D=: Email Inbound Software Bundle with AMP (Anti-Spam, Anti-Virus, Outbreak Filter, AMP Anti-Malware Protection)

Full Orderability:
ESA-AMP-LIC=
Example: ESA-AMP-3Y-S8  -> AMP for Email Security Appliance 3-year SW subscription for 5,000-9,999 users

WSA-AMP-LIC=
Example: WSA-AMP-5Y-S7 -> AMP for Web Security Appliance 5-year SW subscription for 4,000-4,999 users

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

jwharrison
Level 1
Level 1
In response to Robert Sherwin

‎09-02-2014 07:11 PM

I have applied the 45 day eval feature key and added the feature to my inbound mail policy.   Where can i get a test message to evaluate the new feature ( a test fake payload) ?

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to jwharrison

‎09-24-2014 12:59 PM

I wrote the following article - which may be of assistance:

 

Testing Advanced Malware Protection (AMP) on ESA

 

With the release of AsyncOS 8.5 for the ESA, AMP performs file reputation scanning and file analysis, in order to detect malware in attachments.  

 

Feature Keys

 

In order to implement AMP, you will need to have a valid and active feature key for both File Reputation and File Analysis on your ESA.  Please visit System Administration> Feature Keys on the GUI, or use featurekeys on the CLI, to verify the feature keys.

 

Security Services 

 

To enable the service, from the GUI, Security Services > File Reputation and Analysis.  From the CLI, you can run ampconfig.  Submit and commit your changes to the configuration.

 

Incoming Mail Policies

 

Once you have enabled the service, you will need to have this service tied to an incoming mail policy.  Mail Policies > Incoming Mail Policiesand select your Default Policy, or pre-configured policy as needed.  You will see the Advanced Malware Protection column on the Incoming Mail Polices page.  Select the Disabled link for the column, and Enable File Reputation and Enable File Analysis on the options page.  You can make any further configuration enhancements to message scanning, actions for un-scannable attachments, and actions for positively identified messages, as needed.  Submit and commit your changes to the configuration.

 

Testing

 

At this time, your incoming mail policy will be enabled to scan and detect malware.  You will need to have a true malware sample to test with.  If you need valid examples, please visit the European Institute for Computer Antivirus Research (eicar) downloads page.

 

Warning: Cisco cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer or network environment. YOU DOWNLOAD THESE FILES AT YOUR OWN RISK.  Download these files only if you are sufficiently secure in the usage of your AV scanner, computer settings, and network environment.  This information is provided as a courtesy for testing and reproduction purposes.

Using a valid a pre-configured email account, send the attachment through your ESA and normal processing.  You can use the CLI of the ESA, and tail mail_logs to monitor the mail as it processes through.  You should see similar to the following:

 

Thu Sep 18 16:17:38 2014 Info: New SMTP ICID 16488 interface Management (192.168.0.199) address 65.55.116.95 reverse dns host blu004-omc3s20.hotmail.com verified yes
Thu Sep 18 16:17:38 2014 Info: ICID 16488 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 5.5
Thu Sep 18 16:17:38 2014 Info: Start MID 1653 ICID 16488
Thu Sep 18 16:17:38 2014 Info: MID 1653 ICID 16488 From: <joe_user@hotmail.com>
Thu Sep 18 16:17:38 2014 Info: MID 1653 ICID 16488 RID 0 To: <any.one@mylocal_domain.com>
Thu Sep 18 16:17:38 2014 Info: MID 1653 Message-ID '<BLU437-SMTP10E1315A60354F2906677B9DB70@phx.gbl>'
Thu Sep 18 16:17:38 2014 Info: MID 1653 Subject 'Your Daily Update''
Thu Sep 18 16:17:38 2014 Info: MID 1653 ready 2313 bytes from <joe_user@hotmail.com>
Thu Sep 18 16:17:38 2014 Info: MID 1653 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Sep 18 16:17:38 2014 Info: ICID 16488 close
Thu Sep 18 16:17:39 2014 Info: MID 1653 interim verdict using engine: CASE spam negative
Thu Sep 18 16:17:39 2014 Info: MID 1653 using engine: CASE spam negative
Thu Sep 18 16:17:39 2014 Info: MID 1653 AMP file reputation verdict : MALWARE
Thu Sep 18 16:17:39 2014 Info: Message aborted MID 1653 Dropped by amp
Thu Sep 18 16:17:39 2014 Info: Message finished MID 1653 done 

 

The above example shows that AMP detected the malware attachment and 'dropped' as the final action per the default settings.

 

The same details are also seen in Message Tracking from the GUI:

 

AMP_message_tracking.png

 

If you had chosen to deliver positively identified malware, or other advanced options in the AMP configuration from the Incoming Mail Policies, you may see the following mail processing outcome:

 

Thu Sep 18 21:54:30 2014 Info: MID 1655 AMP file reputation verdict : MALWARE
Thu Sep 18 21:54:30 2014 Info: MID 1655 rewritten to MID 1656 by AMP

The reputation verdict will still be positive for "MALWARE" as shown.  The rewritten action is per the message modification actions and subject line pre-pending of "[WARNING: MALWARE DETECTED]".  

 

A clean file, or file that has not been identified at processing time as malware, would have the following verdict written to the mail logs:

 

Thu Sep 18 21:58:33 2014 Info: MID 1657 AMP file reputation verdict : CLEAN

 

Advanced Message Tracking for AMP+ Messages

 

Also from the GUI, when using Message Tracking and the Advanced drop-down, you can choose to search for Advanced Malware Protection Positive message directly:

 

AMP_message_tracking_adv.png

 

Advanced Malware Protection Reporting

 

From the ESA GUI, you will also see report tracking for positively identified messages through AMP.  Click Monitor > Advanced Malware Protection and modify the time range as needed.  You will now see similar, using the above examples for input:

 

AMP_reporting.png

 

Troubleshooting

 

If you are not seeing a known, true malware file being positively scanned by AMP, review the mail logs to assure that another service did not take action on the message and/or attachment before AMP scanned the message.

 

From the earlier example used, when Sophos Anti-virus is enabled, it actually catches and takes action on the attachment:

 

Thu Sep 18 22:15:34 2014 Info: New SMTP ICID 16493 interface Management (192.168.0.199) address 65.55.116.95 reverse dns host blu004-omc3s20.hotmail.com verified yes
Thu Sep 18 22:15:34 2014 Info: ICID 16493 ACCEPT SG UNKNOWNLIST match sbrs[-1.0:10.0] SBRS 5.5
Thu Sep 18 22:15:34 2014 Info: Start MID 1659 ICID 16493
Thu Sep 18 22:15:34 2014 Info: MID 1659 ICID 16493 From: <joe_user@hotmail.com>
Thu Sep 18 22:15:34 2014 Info: MID 1659 ICID 16493 RID 0 To: <any.one@mylocal_domain.com>
Thu Sep 18 22:15:34 2014 Info: MID 1659 Message-ID '<BLU437-SMTP2399199FA50FB5E71863489DB40@phx.gbl>'
Thu Sep 18 22:15:34 2014 Info: MID 1659 Subject 'Daily Update Final'
Thu Sep 18 22:15:34 2014 Info: MID 1659 ready 2355 bytes from <joe_user@hotmail.com>
Thu Sep 18 22:15:34 2014 Info: MID 1659 matched all recipients for per-recipient policy DEFAULT in the inbound table
Thu Sep 18 22:15:35 2014 Info: ICID 16493 close
Thu Sep 18 22:15:35 2014 Info: MID 1659 interim verdict using engine: CASE spam negative
Thu Sep 18 22:15:35 2014 Info: MID 1659 using engine: CASE spam negative
Thu Sep 18 22:15:37 2014 Info: MID 1659 interim AV verdict using Sophos VIRAL
Thu Sep 18 22:15:37 2014 Info: MID 1659 antivirus positive 'EICAR-AV-Test' 
Thu Sep 18 22:15:37 2014 Info: Message aborted MID 1659 Dropped by antivirus
Thu Sep 18 22:15:37 2014 Info: Message finished MID 1659 done

 

The Sophos Anti-virus configuration settings on the incoming mail policy are set to 'drop' for virus infected messages.  In this instance, AMP is never reached to scan or take action on the attachment.

 

This is not always the case.  A review of the mail logs and MIDs may be needed in order to assure that another service OR a content/message filter did not take action against the MID before AMP processing and action would have been reached.

Cheers,
Robert Sherwin
Customers Also Viewed These Support Documents