Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
2
Helpful
6
Replies

How to find Threat Detected in Network Transfer - Firepower

sysad43
Level 1
Level 1

‎04-25-2023 08:02 AM

Im having trouble with one user working and saving a word document to our file server over VPN. Firepower keeps blocking it as malware, but looking at the file there is no obvious signs of malware. Firepower doesnt appear to give me any reason why it thinks its malware. In event log, there is nothing under detection name. 

I am adding it to the clean list, but the user is making new doc files based on a template file, and each time the new file gets flagged. Ive checked the template and new files and there no reason for it to be malware. What do I do?

6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎04-25-2023 09:20 AM

Hi,

How you concluded that its blocked by firepower if you aren't seeing the
logs.

If it's blocked by FTD, there has to be a file event or IPS event. From
their you can find the reason of blocking. It can be an outdated signature
which isn't applicable to your environment (then you can disable it), or
incorrect disposition, etc

>From CLI use 'system support trace', simulate the file copy and see if it's
blocked by FTD from CLI. If so, ensure that the matched rule is having
logging enabled to findout the matched signature or disposition.

***** please remember to rate useful posts
0 Helpful

sysad43
Level 1
Level 1

‎04-25-2023 10:11 AM

It is in the logs. I said there is nothing under detection name column in the log entry. We only have one file policy which is pretty much default.

 

sysad43_0-1682442405302.png

 

Mohammed al Baqari
Level 11
Level 11
In response to sysad43

‎04-25-2023 10:57 AM

Hi, what is the configuration of the file policy assigned to the matched acp rule? Post that.

0 Helpful

sysad43
Level 1
Level 1
In response to Mohammed al Baqari

‎04-25-2023 11:02 AM

sysad43_0-1682445800341.png

 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to sysad43

‎04-25-2023 11:36 AM

Hi,

Very likely it's detected by dynamic analysis. To comfirm that try to use
the cli command I gave earlier and see the outcome of file policy scanning.

Back to your problem, try to upload the file virusTotal to get a score for
it. Also, try to put it in CyberChef to see if there are hidden macros
causing this.

Once the malicious component is identified, you can clear it through
various tools. Your user can then use the clean version of the template.
0 Helpful

sysad43
Level 1
Level 1
In response to Mohammed al Baqari

‎04-26-2023 05:40 AM

Im not able to run the command. Command not found. Maybe because thats for FTD, and Im running FPMC?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card