AMP file policy best practise ASA's?

kai schoene · ‎08-03-2016

Hi!

What is the best practice for file policy's on ASA's?

Im curently running a file policy with 2 rules.

rule 1:

File types: Category Dynamic Analysis Capable

Action: Block Malware

Spero, Dynamic Analysis and Reset connection

Store files Malware

Rule 2:

File types: everything except ARJ (a known bug that crashes random services and stops all traffic inline with archive and ARJ inspection enabled)

Action: Block Malware

Reset connection (no Spero or Dynamic Analysis)

Store files Malware

Advanced:

First time file analysis

custom detection and clean lists enabled

Mark files as malware based on threat score High

Inspect Archives

Depth 2.

Is this sufficient to block all detected Malware in transit?

aledipas · ‎08-03-2016

It isn't really necessary to have two rules if you want to use the same action. In one rule you can add all the desired types and functionality, otherwise it should be effective as you've described.

Jetsy Mathew · ‎08-03-2016

Hello Team,

Adding to what Alex said, here is the quick reference link for the best understanding about the File policy practices and detection's.

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html

Rate and mark correct if the post helps you

Regards

Jetsy

kai schoene · ‎08-09-2016

As I understand it, you should have 2 rules because only executables are supported for dynamic analysis, and we get warnings in the Access Controll Policyes about filetypes selected for dynamic analysis is unsupported if we only have one rule for all filetypes with all the bells and whistles enabled.

ccna_security · ‎01-14-2019

Hello/ Could anyone tell me why encrypted archive file not blocked by file policy although i have checked Block Encrypted Archive box?