08-31-2016 11:28 PM - edited 02-20-2020 09:01 PM
Hi Experts,
I have an ASA5515 with AMP builtin as a software. I need to know what is the difference between the following file policy actions:
I know that in Cloud Malware Lookup, the ASA will calculate the Hash-256 of the file and send that hash value to the cloud and wait for the cloud response and also log the file.
for Block Malware action, Cisco documentation said that it is the same as cloud malware lookup(hash will be sent to cloud) but the file containing malware will be blocked. how come the hash sent to the cloud and ASA is waiting for a response, with this delay the file might end up passing to the internal network before ASA can block it.
please need your support as I am confused about these 2 actions.
thanks,
Solved! Go to Solution.
09-01-2016 06:22 AM
Good morning,
The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.
In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.
Please let me know if this helps.
Thanks,
09-01-2016 06:51 AM
Haitham,
The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.
The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.
Thanks,
09-01-2016 06:22 AM
Good morning,
The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.
In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.
Please let me know if this helps.
Thanks,
09-01-2016 06:36 AM
Hi,
I really appreciate your excellent explanation, it helped me a lot.
based on your answer, whether am using Cloud Malware Lookup or Block Malware, the system will contact the cloud. right? so basically we don't have any database for malware stored on the ASA by default to check from?
Also please what about the IPS, do we have to continuously update the signature database from internet???
thank you for you valuable support.
Haitham Jneid
09-01-2016 06:51 AM
Haitham,
The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.
The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.
Thanks,
09-01-2016 07:00 AM
Hi,
One more question please,
Asa5515-x comes with predefined license which support IPS and malware protection??
Thanks a lot,
Haitham
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide