Solved: Steps for blocking Sha-256 on FMC

Alan Inman · ‎03-14-2020

To block a sha-256 on Cisco FMC are these the steps I need to take?

Add sha-256 to Objects >> File List >> Custom-Detection-List
Add File List (somehow) to Policies >>Access Control >> Malware & File >> Malware Block
Add Malware Block to Policies >> Access Control >> My production Access Control List

Or is simply doing step 1 sufficient? @Marvin Rhoads has a great explanation HERE but if I do have to move into step 2 I don't see a way to point back to the Custom-Detection-List in step 1. Thank you for your time -Alan

Step 1 Step 1

Step 2 Step 2 Step 2 (continued) Step 2 (continued)

Step 3 Step 3

Marvin Rhoads · ‎03-15-2020

When you create (and assign via your Access Control Policy) a file rule with the action of "Block Malware" (as you have) or "Malware Cloud Lookup" and hit a matching file type, Firepower will automatically check for a match in the customer file list you've created.

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01010111.html#ID-2243-00000833

Think of it kind of like Cisco's Security Intelligence feed for IP blacklist. As long as you're evaluating the traffic, it's automatically checked.

View solution in original post

Marvin Rhoads · ‎03-15-2020

When you create (and assign via your Access Control Policy) a file rule with the action of "Block Malware" (as you have) or "Malware Cloud Lookup" and hit a matching file type, Firepower will automatically check for a match in the customer file list you've created.

https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/fpmc-config-guide-v60_chapter_01010111.html#ID-2243-00000833

Think of it kind of like Cisco's Security Intelligence feed for IP blacklist. As long as you're evaluating the traffic, it's automatically checked.