Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
1
Helpful
2
Replies

Firepower File\Maleware policies

keithcclark71
Level 3
Level 3

‎11-14-2023 11:04 AM

I kinda will nilly setup a file\maleware policy based off a youtube video I seen without really understanding it. I was hoping someone can explain to me based on the screenshots how my setup is working as I haven't had any complaints about files being blocked until now.

Filerule attachment: I assume that Store files means the file is blocked and never sent to destination.

FileEvents Attachment: What is this showing me and what does the column disposition mean? Is my Unknown disposition files being stored locally on my FMC and never being sent out?

How come I can't see the associated connection events of the host systems sending these files through the firewall???

FileSummary: What do all these files mean and what do I use this for from a engineering standpoint? Is there something I should be doing with these files or looking for???

 

 

Preview file
68 KB
Preview file
64 KB
Preview file
229 KB
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-14-2023 07:33 PM

The store files option stores a local copy on the firewall of files that were marked as Malware. It is normal that most files will be marked with unknown disposition as the list of known clean files is mostly just base OS files that Talos has analyzed and marked as Clean in advance. Known malware is similarly only a small set of all possible files in the world. That leaves almost all other files as "unknown".

Connection events may or may not display depending on the logging options selected in the associated ACP rule that is allowing the connection.

I generally find File Policy not very useful as it only detects files transferred via unencrypted transport - typically a very small set of what transits a modern edge firewall. Note your file events show transfers via http (tcp/80). It's much more useful to run Cisco Secure Endpoint (formerly AMP for Endpoints) as it will see files being saved, moved or executed without encryption.

Marius Gunnerud
VIP
VIP

‎11-14-2023 11:31 PM

Just to supplement what @Marvin Rhoads has already said, here is a document with more info on File Policies.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card