I would expect that sort of

dlongpre · ‎03-15-2017

Hi,

I need your comment and your thought on this.

One of my customer has received twice this week the famous "Microsoft System Security Alert - please call 1-888..." FAKE pop-up page.

The customer has ASA with Firepower + IPS and AMP (file policy, all protocols in download) on all Access Policy rules + Security Intelligence configured. Also, workstations have Fireamp software up-to-date.

Customer concern and mine little bit, how that kind of FAKE warning pop-up can cross all security systems?!

Thanks for your help,

Dominic.

Marvin Rhoads · ‎03-15-2017

I would expect that sort of adware to be blocked by a URL Filtering policy on the edge (or Cisco Umbrella on the endpoint).

You did not mention having URL Filtering licensed or configured. Do they?

dlongpre · ‎03-16-2017

Hi Marvin,

Yes, they have URL Filtering configured as Firepower service. However, maybe I should denied access to all URL with Suspicious Sites and High Risk reputations and doing the same APP with Very High and High risks.

Your thought ?

Marvin Rhoads · ‎03-17-2017

Yes that might work. The best way to tell for sure is to check the URL for one of the popups.

You can either look it up at brightcloud.com (the reputation and categorization service that FirePOWER uses) or, if you have FirePOWER 6.2, look it up using the built-in tool onthe Management Center.

Fake Warning pop-up page like "Microsoft System Security Alert"