Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2749
Views
0
Helpful
4
Replies

Cisco ASA5515-x firesight firepower

Go to solution
haitham.jneid
Level 1
Level 1

‎08-31-2016 11:28 PM - edited ‎02-20-2020 09:01 PM

Hi Experts,

I have an ASA5515 with AMP builtin as a software. I need to know what is the difference between the following file policy actions:

  • Cloud Malware Lookup
  • Block Malwares

I know that in Cloud Malware Lookup, the ASA will calculate the Hash-256 of the file and send that hash value to the cloud and wait for the cloud response and also log the file.

for Block Malware action, Cisco documentation said that it is the same as cloud malware  lookup(hash will be sent to cloud) but the file containing malware will be blocked. how come the hash sent to the cloud and ASA is waiting for a response, with this delay the file might end up passing to the internal network before ASA can block it.

please need your support as I am confused about these 2 actions.

thanks,

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
flipkey
Cisco Employee
Cisco Employee

‎09-01-2016 06:22 AM

Good morning,

The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.

In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.

Please let me know if this helps.

Thanks,

View solution in original post

0 Helpful

Go to solution
flipkey
Cisco Employee
Cisco Employee
In response to haitham.jneid

‎09-01-2016 06:51 AM

Haitham,

The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.

The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.

Thanks,

View solution in original post

0 Helpful
4 Replies 4

Go to solution
flipkey
Cisco Employee
Cisco Employee

‎09-01-2016 06:22 AM

Good morning,

The Cloud Malware Lookup does lookup the HASH of the file against the cloud, however, it does not wait for the response from the Cloud API, rather it simply sends the file on its way and reports the disposition back in the file event. The option for "Block Malware" the ASA/SFR will hold the final transmission of the file while it waits for the Cloud API response with the disposition. If this disposition is malware, it will drop the remainder of the file causing the transfer to fail.

In the advanced section of the Access Control Policy, there is a setting labeled "Allow file if cloud lookup for Block Malware takes longer than" This is the number of second to wait for the Cloud API response before allowing the file in the event we do not get a Cloud response in time.

Please let me know if this helps.

Thanks,

0 Helpful

Go to solution
haitham.jneid
Level 1
Level 1
In response to flipkey

‎09-01-2016 06:36 AM

Hi,

I really appreciate your excellent explanation, it helped me a lot.

based on your answer, whether am using Cloud Malware Lookup or Block Malware, the system will contact the cloud. right? so basically we don't have any database for malware stored on the ASA by default to check from?

Also please what about the IPS, do we have to continuously update the signature database from internet???

thank you for you valuable support.

Haitham Jneid

0 Helpful

Go to solution
flipkey
Cisco Employee
Cisco Employee
In response to haitham.jneid

‎09-01-2016 06:51 AM

Haitham,

The ASA stores a local cache of recent malware lookups in the event that we see a file more than one time. The local cache is checked prior to looking the SHA up against the cloud. Any cloud lookups that occur we add the disposition received back to the cache to improve performance. The dispositions in the cache are cleared based upon a TTL.

The IPS rules are updated through the SRU files which can be configured to be downloaded on a scheduled and applied to the appliance.

Thanks,

0 Helpful

Go to solution
haitham.jneid
Level 1
Level 1

‎09-01-2016 07:00 AM

Hi,

One more question please,

Asa5515-x comes with predefined license which support IPS and malware protection??

Thanks a lot,

Haitham

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents