Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
15
Helpful
4
Replies

Firesight | block wireshark .exe

John
Level 1
Level 1

‎07-11-2016 07:25 PM - edited ‎03-12-2019 06:04 AM

We would like to know how to block wireshark .exe in firesight. 

Labels:
0 Helpful
4 Replies 4

Jetsy Mathew
Cisco Employee
Cisco Employee

‎07-11-2016 10:34 PM

Hello John

If you have malware license using file policy under policies 》 access control 》 File Policy , you can block the .exe extension.Do you want block only for wireshark.exe or all other .exe extension files ? 

Rate if post helps you

Regards

Jetsy

0 Helpful

John
Level 1
Level 1
In response to Jetsy Mathew

‎07-11-2016 11:55 PM

Hello Jetsy,

We want to block all installer of sniffing tool, like wireshark.exe.

0 Helpful

Pujita Patni
Cisco Employee
Cisco Employee
In response to John

‎07-12-2016 09:39 AM

Hello John, 

When the ASA FirePOWER module / Firepower devices detects an eligible file, the ASA FirePOWER module / Firepower devices then performs amalware cloud lookupusing the file’s SHA-256 hash value. Based on these results, the Cisco cloud returns a file disposition to the ASA FirePOWER module.

If a file has a disposition in the cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list:

  • To treat a file as if the cloud assigned a clean disposition, add the file to the clean list.
  • To treat a file as if the cloud assigned a malware disposition, add the file to the custom detection list.

If the system detects a file’s SHA-256 value on a file list, it takes the appropriate action without performing a malware lookup or checking the file disposition.

In order to block wireshark and other similar tools, please browse to 

FMC >> Objects >> Objects Management >> File List >> Custom Detection List  >> "Edit using the pencil icon" >> "Choose Calculate SHA in drop-down" >> Browse and Select file types for this list (For example, Wireshark EXEs, DMGs, etc)

Hope this helps.

Regards,

Pujita

Rate if this helps.

Ed Padilla Jr
Level 1
Level 1
In response to John

‎07-15-2016 12:21 PM

You may need to list all types of sniffing tools files and create their malware detection signature, including wireshark, nmap, and other types and add them to the malware detection policy.  Cisco TAC can assist or you can load your own. Happy tunning.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card