Re: firepower amp module number of files detected in traffic exceeds module threshold

evan.chadwick1 · ‎07-05-2017

What is the module threshold? Are there stats showing how many file lookups performed for the day with a percentage showing where the sensor is at?

And should such a message equate to an entry in health monitor section for the device concerned?

Dinesh Verma · ‎07-06-2017

Most likely you're receiving the alert due to the amount of files being inspected. With a large amount of files being inspected, you will easily be seeing the below conditions.

(1) Malware cache not initialised at startup

(2) Memory limit on file capture was reached

(3) Memory limit on the file queue was reached

As such there is no hard limit set for it. It's more like oversubscription (large amount of files being inspected).

evan.chadwick1 · ‎07-06-2017

any way to get more visability?

the health monitor 'intrusion and file event rate' is set to defaults.

critcal 50 events per second

warning 30 events per second

these too high perhaps for a asa 5508?

Dinesh Verma · ‎07-07-2017

Hi Evan,

Try reducing the number of file types for dynamic analysis, this should help. To get to know what exactly going on, please open up a case with us with a sensor TS file. We will help you get more details. Specially this health alert has nothing to do with a daily limit on dynamic analysis.

It will count the total number of file events, and the percentage of these that failed to be sent for dynamic analysis or failed to be stored for any of these three reasons I mentioned above.

Regarding intrusion and file event rate: You can change the number if you want, it's just way of telling an administrator that there is too much event rate for file/intrusion. It's more of an information. It isn't too high or low for ASA5508 or any of hardware appliance (7k,8k). It's just a default value set.

Regards,

Dv

Schmitgen1 · ‎07-03-2019

What happens to the files when we see this error? Are they just passed without inspection? If the alert isn't about a limit on dynamic analysis, why would I need to reduce the number of file types submitted?

Will purchasing a large appliance allow more file inspection and thus get rid of this alert?

Schmitgen1 · ‎07-03-2019

What happens to the files when we see this error? Are they just passed without inspection? If the alert isn't about a limit on dynamic analysis, why would I need to reduce the number of file types submitted?

Would purchasing a larger appliance allow more file inspection and thus get rid of this alert?

cacravero · ‎05-28-2018

Hi, I change the ip policy to balanced, so far i did not have this message for a week.

evan.chadwick1 · ‎08-20-2020

To Summarize this case for folks searching for an answer:

either:

1/ create a widget (dynamic analysis breakdown) for your dashboard to give you a little more viz on File events and what the product is doing with your files.

(I expect better than a widget in my dashboard from firepower)

2/ or purchase a subscription to threatgrid (pricey) to get proper file analysis.

(ultimately i'd recommend having rock solid enpoint protection on each host than putting too much focus on network based file events)

I don't really know why firepower file events keep recording the same file and file size over and over in the event reporting, as category 'malware lookup', does not give you confidence that this is 'not the cause the exceeding threshold'. I raised a case and tac assured me it would not count towards threshold quota, would be great if it flagged the 2nd/3rd.... event as not 'malware lookup' though. Something like 'already submitted' or 'awaiting response from first seen' would be accurate.