cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7134
Views
0
Helpful
23
Replies

SMTP attachment analysis on Firepower

HQuest
Level 1
Level 1

I have set up a lab with a fully licensed ASA+FP device in front of a TLS enabled SMTP server. Created a rule to decrypt SSL traffic using its own certificate+key, to a set of TCP ports to this SMTP server IP address. I also turned on file detection and SSL decryption on the ACL policies applied in the device. IPS/NAP policies are the default Balanced ones.

However when I email the EICAR file to an account on this server, I have no records on FMC that this file went thru. I was expecting, as FMC records a malware entry when I download the EICAR file from a web server, to have an entry recorded for the SMTP session as well.

Anyone could provide me more info on this?

Last but not least, I fully understand the performance limitations and impact of such scenario.

Appreciated for any hints/guidance.

23 Replies 23

It sounds like a bug at this point. Please do keep us updated with the TAC's findings.

Regards.

- Marvin

We found out the EICAR is detected via SMTP, when sent as a .txt file attachment. Which is good, the engine is "working".

But if sent as an attachment in an executable file form of "eicar.com" (the way it was originally conceived as), or if inside a compressed file (with no password), it goes un-noticed by the AMP/FP engine. While the email client is smart enough to block certain file extensions, this can be disabled.

More to come...

Ok, this ended in between a funny and sad resolution.

TAC found out if you email the file (as text or compressed) using Mozilla Thunderbird client, AMP/FP detects the threat. If you use any other ways to send it (via web application connecting directly to your SMTP port or via other SMTP servers delivering a pre-made message), it passes thru. The email client and the desktop anti-virus picks up the threat inside the email message and blocks it. So "The problem is the way in which the page sends the email, the structure of the email." and "The Firepower is working properly.", as they closed my case with such resolution.

At the same time, other firewall products with similar threat detection features detects all kinds of files AMP/FP is missing, so I think we have our answer now.

Thanks all for your time and suggestions. Now I need to make a reminder to malware makers to follow only standard rules when delivering malware so Cisco can catch them...

I agree that sounds like a pretty lame reply.

If it were my case, I'd make note of it in the customer satisfaction survey they send after case closure.

Hi Marvin

 

Do you know if this issue ever got resolved? Or are Cisco just trying to push their ESA ;)

 

Kr,

 

Michael

Alexandre,

I'm having a similar problem where I am doing TLS decryption on inbound SMTP, but no attachments are being logged / analysed by the file policy. I have a question for you, were your attachments delivered via SMTP/TLS logged in Analysis | Files | File Events?  
If I understand correctly TAC is telling you that only files delivered from a thunderbird client can be detected AND that is how FP is supposed to work. yikes!

pcnudde01,

While I disabled TLS on the inbound SMTP to keep things easy and clear with one less layer to troubleshoot, I did saw the attachment logged on the File Events only when the file was emailed from the email client. All other variants passed thru without being detected as attachment by the FP, and all were flagged as trouble by the endpoint client. Unfortunate for the FP, as these same test cases were found and blocked by appliances of two other different vendors.

I got someone from the feedback group and later from Cisco sales dept contacting me after my feedback, and that ended here. I explained to them again why I gave a low score rating for the TAC outcome, what my expectations were, what my findings were, and that was it. Dead silence afterwards.

Unfortunately, this was also the end of my discovery phase and we moved the project ahead with another vendor. I'm afraid, however, this will have a more significant impact on future projects: if a security appliance cannot be adapted to basic lab threat variants, how useful is it in the real world?

I saw your file policy and you have malware cloud lookup. You should have block malware. That malware lookup will do on it own if it needs to. I had the same issue before into I changed it to block all malware.

You are right, I was doing a lot of things at the same time and I replied to quickly.

I agree with Marvin, it sounds like a bug.

Since sometimes bugs are very funny, you can try to move rule 2 below rule 4 and see what happens.

Review Cisco Networking for a $25 gift card