set the policy as block malware

http://www.eicar.org/85-0-Download.html

Network AMP

please find the attached config snaps from FMC for the malware block

Hi Edwin,

The rule looks correct. I would suggest to check the connection events first to find which rule the traffic is hitting on the firepower.

Check analysis>events>connections and table view of connections and search for your test client IP.

See if it actually hits the AMPPOLICY rule or no.

If it hits that, then please make sure you download the test malware using http connection and not https.

https require SSL decryption. You can also create a test rule to block something (like URL or IP) to check if it actually works. If its ASA with SFR module, check if the module(service -policy)  is configured in inline mode or passive (monitor-only)

Hope it helps,

Yogesh

the config is inline mode as below

class-map sfr
 match access-list sfr_redirect
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
 class sfr
  sfr fail-open
!

Config seems correct from ASA redirection point of view. Please check the firewall-engine-debug from CLI or connection events and find which rule the traffic hits.

The images shows that, the server antivirus kaspersky is blocking malware, but asa is not blocking

Hi

I would suggest to open TAC case for further investigation.