While email is still being investigated as a possible attack vector, we can confirm that the Email Security Appliance (ESA) does in fact positively detect this threat using either McAfee/Sophos Anti-Virus and/or Advanced Malware Protection (AMP).
NOTE: Even though the Anti-Virus and/or AMP services might be detecting the Petya Ransomware, you'll also need to make sure your services and mail policies are setup to take the necessary action (Drop/Quarantine/ETC) for any Malicious/Viral verdicts.
For further confirmation to see if you're currently protected on the ESA, you can review the appliance and look for the following Anti-Virus engine/rule updates via the CLI and/or GUI. For AMP, no specific updates will be needed since the SHAs are updated from within our AMP cloud database.
From the CLI this can be checked using the respective antivirusstatus sophos detail and antivirusstatus mcafee detail commands. From the GUI, you can review the current updates under Security Services --> Anti-Virus.
For Sophos - Look for the below mentioned IDEs
test.example> antivirusstatus sophos detail
Product - 5.40 Engine - 3.66.3 Product Date - 30 May 2017
Sophos IDEs currently on the system:
'Petya-Bi.Ide' Virus Sig. - 27 Jun 2017 20:07:34 'Petya-Bh.Ide' Virus Sig. - 27 Jun 2017 19:31:11 'Rans-Eob.Ide' Virus Sig. - 27 Jun 2017 17:57:54
If checking via GUI, for the Sophos IDE Rules, you'll want to make sure the version shown is 2017062706 or newer.
For McAfee - Look for the Engine version of 5800 and DATs version of 8573
test.example> antivirusstatus mcafee detail
Component Version Last Updated McAfee Engine 5800 18 May 2017 17:11 (GMT +00:00) McAfee DATs 8573 27 Jun 2017 14:22 (GMT +00:00)
NOTE: If your McAfee engine is only showing as 5700, please be sure you've upgraded to the proper supported ASyncOS version for the 5800 engine. More info on the compatible builds can be found here : http://www.cisco.com/c/en/us/support/docs/field-notices/642/fn64277.html. While McAfee DAT 8573 will still assist with finding the Petya Ransomware, any engine previous to 5800 in conjunction with DAT 8573 will result in decreased efficacy.
If you have any further questions then please do not hesitate to contact us.
This article is intended to be a simple example of configuring AnyConnect relevant syslog messages to be sent from the ASA to a Syslog server. The syslog server in this example is Spunk but almost any syslog server should be do the job. The ...
NGFW Spring 2020 Releases
It’s official! FTD 6.6, ASA 9.14.1, and FXOS 2.8 have been released. We want to thank the hundreds of team members for the tens of thousands of man-hours dedicated to driving this critical release over the finish line. 120...
Hi,I was trying to 2fa cisco duo , all the required settings done as per below . The problem is duo cloud does nti not getting any request from the asa . So I am not getting any code from the duo https://www.youtube.com/watch?v=6nEvmc8wji...
This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".
To participate in this event, please use the button to ask your questions
Here’s your ch...
User Experience Enhancements
As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.
Early Access introduces a...