Fire AMP Application Blocking

Victor Garcia · ‎01-29-2016

I have a question about blocking an executable by our defined Application Blocking rule/list. If I have a file called UpdateTask.exe and it is located in a user profile \.....\.....; will it black the application at is file location or will it block any executable that has the name UpdateTask.exe? I ask because this issue can exist with the uninstall.exe files as well. I do not want to add this exe to the block list if it includes all of them as opposed to the ones located in the file path. Basically, just in case I am not clear, I do not want to block a legitimate updatetask.exe or uninstall.exe file, I only want to block those that are associated with malicious application's path. I hope I am being clear enough, if not, please ask and I will try to word it better.

syeda3 · ‎02-06-2017

Please refer to the below url for User Guide.

http://www.cisco.com/c/dam/en/us/td/docs/security/sourcefire/fireamp/fireamp-cloud/FireAMPUserGuide.pdf

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401/AMP-Config.html

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/AMP-Config.pdf

Hope to help.

Victor Garcia · ‎02-06-2017

So in reference to your articles you have pointed me to, you are relying on no collisions in SHA-256 from one you mark as malware and one that may be safe from a legitimate application. I already read these prior to my question and I was hoping for a little more insight, if there is any, on how AMP for EP may be able to distinguish between these possible issues even if they are negligible at best/worst. :) Thanks for your reply.