Solved: malware block file policy

adamgibs7 · ‎05-06-2016

Dears,

I have setup a file policy as per the attached, i can see the logs that the malware has been passed by the file transfer though i have block malware for all the type of the file, can anybody confirm to me by the file/malware events as per the attached the enduser is affected with malware ?? i don't see any color change on the end user computer ikon but in the file trajectory it's show's me disposition of malware, also can anybody confirm to me that the file policy i have created below are best enough to block malware as those are displaying warning which i think it is only an information.

1) mov and archive file blocked

2) all type of files malware detected blocked

Thanks

yogdhanu · ‎05-06-2016

Application rule is ok. as you have file policy in every rule.

I would say yes the end client is affected and it will be advisable to run some malware analysis on that.

View solution in original post

yogdhanu · ‎05-06-2016

Hi

So with the first malware policy will block the files types that are specified there Ir-respective of it being malware. Second policy will do cloud lookup and if found malware , will block those files.

The trajectory page shows up that the files disposition was not there on cloud and that's why they passed and shows unknown. Retrospective event shows that the file is marked as malware now.

So based on that those files should be blocked now. Now the question is which file policy is applied where.

The malware block policy should be applied in the general traffic rule so that if any file is detected as malicious , action malware block can be applied.

Hope it helps.

adamgibs7 · ‎05-06-2016

Dear yogdhanu

Thanks for the reply.

The trajectory page shows up that the files disposition was not there on cloud and that's why they passed and shows unknown

so by the above line i understand that the malware has reached to the endpoint and the endpoint is affected.--Please correct me if i am wrong.

Retrospective event shows that the file is marked as malware now.

if you see the dates it first let it go on 21st april and then the Retrospective event is on 23rd which is showing malware disposition.so it detected after 2 days before that the malware was passed to the computer.

The malware block policy should be applied in the general traffic rule so that if any file is detected as malicious , action malware block can be applied.

On my every rule file policy is applied so if incase on any application user is trying to download any file he will be sent to the malware cloud lookup.

for example a rule

policy name : team-viewer zone: inside to outside, network: any user: abc: application: teamviewer: file policy: file-policy

by the above rule it is giving me a warning that the team-viewer policy rule targeting application protocol "Any" may never be triggered due to application selection.

this error is due to i have selected any for application in the file policy to avoid such warning i should create another file policy by specific selecting team viewer application type is it possible?? please correct me if i am wrong.

thanks

yogdhanu · ‎05-06-2016

Application rule is ok. as you have file policy in every rule.

I would say yes the end client is affected and it will be advisable to run some malware analysis on that.

adamgibs7 · ‎05-06-2016

Dear Yogdhanu,

i get the attached warning while saving access-policies in which i have applied file policy.

thanks

yogdhanu · ‎05-06-2016

Hi

I don't see any attachment but if the warning is about file policy, can you please attach it again.

adamgibs7 · ‎05-06-2016

Here is the attached

what the error means

yogdhanu · ‎05-06-2016

Ok , it just says that because this rule looks to match traffic which have team viewer app , it might never match with an real file policy rule.

Because an IPS or file policy will only apply if the matching criteria in that rule is matched and the rule is determined to match. Then the IPS or file policy comes into picture. So in this case if and only if you are using team viewer , that traffic will match that rule , other traffic will move on to next rule and then based on those rules file policy will hit those rules.

Hope it helps.

adamgibs7 · ‎05-06-2016

Dear Yogdhanu,

i didn't understood properly your reply but from your replies what i understand is that a file policy has limited no of application malware block so in our case for team viewer application the file policy will never trigger.Please correct me if i am wrong.

As per the attached snapshot in above post i have a instant messaging and team viewer application, so in these application the user who will shared the file how they can be malware blocked .

yogdhanu · ‎05-06-2016

Hi

So the rule will detect the application being used first and then apply the file policy there.

If the users transfer file through team-viewer or IM , it will most probably be encrypted session (haven't used it so not sure) . If its encrypted file transfer then SSL decryption is needed otherwise firepower or any other intermediate device for that matter cannot see the contents and the file will pass.

Hope that helps.

adamgibs7 · ‎05-06-2016

Dear Yogdhanu,

But the error means something else.

"file policy rule targeting application protocol "Any" may never be triggered due to application selection." for a access policy rule in which we have assigned the file policy.

thanks

adamgibs7 · ‎05-10-2016

Dears

Anybody can reply to my above query please.

thanks

adamgibs7 · ‎05-10-2016

Dear yogdhanu,

you are expert from cisco may be I m wrong but I am asking again becz want to be satisfied for the query

in file policy for application I have tick " any" so it is prompting as a warning I have selected " ANY" for application so this file policy will never be triggered.

Please correct me if I m wrong

thanks

vaibhav.parlekar1 · ‎11-29-2017

Hi,

My best guess for the error is as follows.

Please note the error in the file policy is because the file policy for detecting or blocking files can be set based on the supported protocols and not based on applications like in the access control rules. The supported protocols are HTTP, FTP, SMB, SMTP and POP3 I guess.

Since your file policy is tied to a access control rule which matches team-viewer as application is the reason for the conflict.

Are you trying to block the files transferring over team viewer web app or team viewer client.

Vaibhav

yogdhanu · ‎05-10-2016

Hi

It means that the rule will first look for the selected application in the traffic to be triggered and only than that traffic will be inspected with file policy on that rule.

If there is any other traffic which is not identified as that application , traffic will move on to next rule to match and then action will be decided based on next rule.

Hope it helps.