Solved: Sourcefire File Malware Lookup Bypass

mvollersf · ‎12-02-2014

I am currently looking for a way to exlude IP's from the Malware File lookup on a perimeter 3D sensor but am not having much luck.

For example, there are Windows patches and other trusted file deployment events that go through the sensor to multiple systems and it is causing a large number of file lookup events (from the malware protection license functionality). I have tried adding a rule in the Access Control policy that is src the patch server and dst any allow with either a blank file lookup policy defined in the rule, or it set to "none". However the systems are still generating large numbers of file lookup events.

Anyone had any luck with this?

atatistc · ‎12-12-2014

Access Control Policy is the way to do it. What you described should work, there is likely some issue with the rules - either the rule criteria or the rule order - that is causing this.

View solution in original post

atatistc · ‎12-12-2014

Access Control Policy is the way to do it. What you described should work, there is likely some issue with the rules - either the rule criteria or the rule order - that is causing this.

mvollersf · ‎01-08-2015

Thanks atatistc, I was silly and put the location being downloaded from as src in the AC rule, but connection events showed its a pull function initiated from the clients, after correcting that it seems to be working as expected.