cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2897
Views
0
Helpful
4
Replies

Cisco ASA5515-x firesight firepower

haitham.jneid
Level 1
Level 1

Hi Experts,

I have an ASA5515 with AMP builtin as a software. I need to know what is the difference between the following file policy actions:

  • Cloud Malware Lookup
  • Block Malwares

I know that in Cloud Malware Lookup, the ASA will calculate the Hash-256 of the file and send that hash value to the cloud and wait for the cloud response and also log the file.

for Block Malware action, Cisco documentation said that it is the same as cloud malware  lookup(hash will be sent to cloud) but the file containing malware will be blocked. how come the hash sent to the cloud and ASA is waiting for a response, with this delay the file might end up passing to the internal network before ASA can block it.

please need your support as I am confused about these 2 actions.

thanks,

2 Accepted Solutions

Accepted Solutions

flipkey
Cisco Employee
Cisco Employee

Good morning,

The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.

In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.

Please let me know if this helps.

Thanks,

View solution in original post

Haitham,

The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.

The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.

Thanks,

View solution in original post

4 Replies 4

flipkey
Cisco Employee
Cisco Employee

Good morning,

The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.

In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.

Please let me know if this helps.

Thanks,

Hi,

I really appreciate your excellent explanation, it helped me a lot.

based on your answer, whether am using Cloud Malware Lookup or Block Malware, the system will contact the cloud. right? so basically we don't have any database for malware stored on the ASA by default to check from?

Also please what about the IPS, do we have to continuously update the signature database from internet???

thank you for you valuable support.

Haitham Jneid

Haitham,

The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.

The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.

Thanks,

haitham.jneid
Level 1
Level 1

Hi,

One more question please,

Asa5515-x comes with predefined license which support IPS and malware protection??

Thanks a lot,

Haitham