Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1995
Views
0
Helpful
4
Replies

How to configure Firepower AMP to not upload files to the cloud / only local analysis

roesch4alc
Level 1
Level 1

‎12-18-2019 03:05 AM - edited ‎02-21-2020 09:46 AM

Hi

 

we just want to perform File checking on known files (Hash comparison) and also local analysis on FMC, when it is a unknown file. We do not want to upload any files in the cloud. How must a Policy for this look like? I read a lot in the docs, but didn´t finally get to know if this config is good.

 

Would this rule fit the requirements above?

 

filepol.PNG

 

Thanks!

 

Labels:
0 Helpful
4 Replies 4

nspasov
Cisco Employee
Cisco Employee

‎12-19-2019 08:36 PM

Potentially yes. However, is your goal to block malware or only monitor and be alerted when malware files traverse your network? The action "Malware Cloud Lookup" will only check and record the disposition of the files that traverse your network but no blocking will occur. 

With regards to your other question: The "Dynamic Analysis" option is what will instruct the FMC to upload unknown files to the cloud for analysis. If you leave that box unchecked, then no files will be uploaded. 

You can get detailed info on all of this in the configuration guide for FMC:

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/file_policies_and_advanced_malware_protection.html

I hope this helps!

Thank you for rating helpful posts!

0 Helpful

roesch4alc
Level 1
Level 1
In response to nspasov

‎12-20-2019 05:59 AM

Hi,

in general, wheter only monitoring or also with a blocking action, no upload of files to the cloud should actually happen. That´s the main point.

 

But additionally to what you say, the Spero analysis also performs uploads, right?

 

I think the site you pointed to actually contains some addtional helpful information.

 

 

Thanks!

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to roesch4alc

‎12-24-2019 12:11 PM

It really all depends on how you configure your policy/rules. Below is a snip it directly from the link that I mentioned in my previous post:

 

Spero Analysis
Spero analysis examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud. Based on the Spero signature, the Spero engine determines whether the file is malware. You can also configure rules to submit files for Spero analysis without also submitting them to the AMP cloud.

Thank you for rating helpful posts!

0 Helpful

roesch4alc
Level 1
Level 1
In response to nspasov

‎12-30-2019 04:36 AM

Thank you, Know I understand, Spiro is only for executable files... I think I will need to read more into it first, another huge topic...

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card