Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1756
Views
0
Helpful
1
Replies

Firepower Allow Rule for File Malware Detection?

mabouchard
Level 1
Level 1

‎02-25-2017 11:22 AM - edited ‎03-12-2019 06:18 AM

It appears that I am not able to select Intrusion or File Policy in a rule unless the rule is an "Allow Rule" rule. It seems like the "Allow" means allow it to firepower for Analysis. Is that correct? If so does this mean that the Intrusion and File Rules will be applied within the allow rule and then be blocked based on the action chosen within the file rule? 

I am asking as I am not feeling comfortable that I am blocking malware files. I have not found a good site to test this. Fortinet has a site but if I run their run of tests the only one that passes is the .txt file. Any kind of compressed or zip file fails. Does anyone have a good website to test for Malware I can see it being detected and blocked in the event logs?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Reply 1

yogdhanu
Cisco Employee
Cisco Employee

‎02-26-2017 01:51 AM

Hi There,

Yes, you are right about the behavior. Only allow rules can have intrusion or file policy.

The logic here is If the rule action is block, than there is no point wasting resources for intrusion or file inspection as the traffic is being dropped anyways.

A popular way of testing malware is with http://www.eicar.org/ They provide sample malwares which you can use to test malware.

If you need to block malware inside of zip file, inspect archive under advance section of file policy needs to be enabled.

Thanks

Yogesh

Rate if it helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card