FMC AMP without cloud lookup

DAVIES604 · ‎01-29-2019

Hi All,

I'm hoping someone can clarify something for me.

Can I create a rule in a Malware and File policy in FMC that will only do a local malware analysis and no internet cloud lookup at all? In all the documentation I can find, it suggests you can, but never seems to be 100% clear to me. If I select the rule action as Malware Cloud Lookup, and only check 'Local Malware Analysis' box, leaving Spero and Dynamic Analysis unchecked, despite the name of the action, will this only check locally? This rule would only be checking Local Malware Analysis Capable file types. Basically, can I do any malware analysis without sending any file information to the internet, without the private cloud solution.

Any input appreciated.

Thanks

Sheraz.Salim · ‎01-29-2019

my input in this regards are if you looking something like to do a locally than you need a air-gap (AMP) private cloud.

https://www.cisco.com/c/en/us/products/collateral/security/fireamp-private-cloud-virtual-appliance/datasheet-c78-733180.html

please do not forget to rate.

DAVIES604 · ‎01-29-2019

Hi,
Thanks for the input. I'm aware of the private cloud solution, but I'm just after some clarification on the example I gave, as the documentation is not entirely clear to me. Do you know if the FMC will do any sort of web lookup in the scenario I described?
Thanks.

Sheraz.Salim · ‎01-29-2019

Local Malware Analysis – Uses a local engine to check for malware. Unknown files or possible risks warrant further inspection,

Use the local engine to determine if the file is malware.

Local Malware Analysis

Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and other types of files for the most common types of malware, using a detection rule set provided by the Cisco Talos Security Intelligence and Research Group (Talos). Because it does not require submitting a file to the AMP cloud, and does not run the file, local malware analysis saves time and system resources.

If the system identifies malware through local malware analysis, it updates the existing file disposition from Unknown to Malware. The system then generates a new malware event. If the system does not identify malware, it does not update the file disposition from Unknown to Clean. After the system runs local malware analysis, it caches file information such as SHA-256 hash value, timestamp, and disposition, so that if detected again within a certain period of time, the system can identify malware without additional analysis.

From the event viewer, you can manually submit for local malware analysis one file at a time using the context menu, or up to twenty-five captured files at a time. The system runs local analysis, then submits these files to the cloud for dynamic analysis.

Local malware analysis does not require establishing communications with the AMP Threat Grid cloud. However, you must configure communications with the cloud to submit files preclassified as malware for dynamic analysis, and to download updates to the local malware analysis ruleset.

please do not forget to rate.

DAVIES604 · ‎01-29-2019

Again, thanks for the reply. Does this confirm that no data is sent to the internet in the configuration I described?