cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2442
Views
10
Helpful
3
Replies

Cisco Firepower Malware signature

RyanHsiao99746
Level 1
Level 1

Hi there,


Is Cisco Firepower have a Database for malware signature?


When i check TECSEC-2599.pdf p77, the information is: FTD will first calculation the sha, and than send to FMC and FMC will check the Reputation from AMP Cloud.


But i got another information by other SE, they said there is a database include Malware information on VDB.

 

After i check the VDB infomation :According the information on Cisco Vulnerability Database (VDB) Release Notes.

It include the

Application Protocol Detectors

Client Detectors

Web Application Detectors

FireSIGHT Detector Updates

Operating System Fingerprint Details

Operating System and Hardware Fingerprint Details

Vulnerability References

File Type Detectors


Didn't see anything similar like malware database.

Is there any malware database information in VDB or anywhere on Firepower?


Thanks

1 Accepted Solution

Accepted Solutions

Is your VDB is updated?

 

Integrating AMP for Network with AMP Threat
1- Files is downloaded through AMP for Network
2- AMP for Network calculates File hash (SHA256) and sends it to FMC for disposition lookup. Last packet is on hold by device till disposition is received.
3- FMC sends hash lookup to AMP CSI to identify hash disposition
4- CSI Cloud responds to the lookup with disposition “Unknown”
5- FMC records the disposition “Unknown” in File Trajectory
6- AMP for Network releases the last packet and submits a copy of the file to AMP Threat Grid for Dynamic Intelligence (Sandbox)
7- Threat Score (e.g. >=95) is calculated based on Behavioural Indicators and Threat Intelligence obtained by FMC polling
8- Subsequent downloads of the same file will be blocked by AMP for Network
9- AMP Solution also leverages CSI Cloud for Continuous Analysis and Retrospective Security.
10- Retrospective Call for a disposition change from Unknown to Malicious

 

however, to answer your question I do not think there is a database information avabilabe on firepower. all goes on cloud to check the SHA etc.

please do not forget to rate.

View solution in original post

3 Replies 3

Is your VDB is updated?

 

Integrating AMP for Network with AMP Threat
1- Files is downloaded through AMP for Network
2- AMP for Network calculates File hash (SHA256) and sends it to FMC for disposition lookup. Last packet is on hold by device till disposition is received.
3- FMC sends hash lookup to AMP CSI to identify hash disposition
4- CSI Cloud responds to the lookup with disposition “Unknown”
5- FMC records the disposition “Unknown” in File Trajectory
6- AMP for Network releases the last packet and submits a copy of the file to AMP Threat Grid for Dynamic Intelligence (Sandbox)
7- Threat Score (e.g. >=95) is calculated based on Behavioural Indicators and Threat Intelligence obtained by FMC polling
8- Subsequent downloads of the same file will be blocked by AMP for Network
9- AMP Solution also leverages CSI Cloud for Continuous Analysis and Retrospective Security.
10- Retrospective Call for a disposition change from Unknown to Malicious

 

however, to answer your question I do not think there is a database information avabilabe on firepower. all goes on cloud to check the SHA etc.

please do not forget to rate.

Marvin Rhoads
Hall of Fame
Hall of Fame

As @Sheraz.Salim said - there's not a local Malware database.

The VDB is a separate database with the purpose of providing information about vulnerabilities to better inform IPS rule application and categorization of impact.

Hi
Might be possible to update the signature for an offline device ?

 

Thanks by advance

Review Cisco Networking for a $25 gift card