Hi, the problem is not in blocking Eicar itself, it was used only as an example.

I want to block all malware/viruses and even in zipped archives. This option we use now with ASA5510+Trendmicro card.

Because I was not able to block (even detect) Eicar in zip archive, I ask if it is possible.

Jan

Hi,

That should work as well. What is the version that you are on and also make sure that inspect archive option is disabled in Advanced file policy.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Jan,

To make this work had to create a rule by itself that only performed IPS and FILE inspection (don't add URL filtering, APP filtering, etc...).  My recommended rules are in this order... 1) APP FILTERING ALLOW, 2) URL FILTERING ALLOW, 3) APP FILTERING BLOCK, 4) URL FILTERING BLOCK, 5) IPS and FILE BLOCK.  I hope this helps you.  Also - if you are running the latest updates you do NOT need to disable inspect archive like Aastha said above.  That was only necessary on the older versions of ASA Sourcefire code which would lock up the firewall due to a known bug that has since been resolved. 

As Aastha said - unfortunately SSL (https) inspection is not available yet so make sure you are downloading your EICAR file via http or ftp.  Cisco has mentioned that they will be turning on SSL inspection with an update for the 5500x series firewalls in the future.  Hope this helps.

Hi,

I wanted to add my questions here... 

You are talking about ftp and http traffic... My questions is, if any traffic (encrypted traffic excluded) can be scanned for malware? Where are the limitations from firepower and what is possible? Are there guides regarding this capabilites? Where are the best whitepapers for these questions?

Regards

Sebastian

HI ,

Cisco ASA with FirePOWER Services, now has the ability to locally manage SSL communications and decrypt the traffic before performing attack, application, and malware detection against it. This is the same capability we introduced in Version 5.4 for Cisco’s Firepower next-generation IPS (NGIPS) appliances. SSL decryption can be deployed in both passive and inline modes, and supports HTTPS and StartTLS-based applications (e.g., SMTPS, POP3S, FTPS, IMAPS, TelnetS). Decryption policies can be configured to exert granular control over encrypted traffic logging and handling, such as limiting decryption based on URL categories to enforce privacy concerns. It also provides the ability to block self-signed encrypted traffic, or on SSL version, specific Cipher Suites, and/or unapproved mobile devices.

Check : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hi,

also very interesting! I think cisco is developing more and more useful features. But my question focuses on that question, which protocols for malware scanning are supported... In FMC I can see HTTP,SMTP.IMAP,POP3,FTP AND SMB.

So what happens, if I have configured a File policy with blocking Malware and if NFS is used as a fileshare. Now the client accesses a file thats malicious and this file is beeing recognized in http or other unencrypted protocols. Will this file also be recognized or because it is a non supported protocol, the Software on the asa will not recognize it?!

And if this is not supported is there a Roadmap to include other or any protocol in the "scan process"?

I´m very interested in the answer to that question.!

Regards,

Sebastian

Hi,

These are the only protocols that are supported. NFS is not supported . SMB is used for transport.

I don't think its on roadmap as well.

Regards,

Aastha Bhardwaj

Rate if that helps!!!

Hello Sebastian,

Apart from HTTP,SMTP.IMAP,POP3,FTP AND SMB no any other protocols are supported. NFS is not supported and its not there in upcoming roadmap. If you want this to be added, then you can go ahead submit an enhancement request for adding this feature . For this , you have to contact your accounts team.

Rate if this answer helps you.

Regards

Jetsy