This document describes how to test and verify the Advanced Malware Protection (AMP) features of the Cisco Email Security Appliance (ESA).
Test AMP on the ESA
With the release of AsyncOS 8.5 for the ESA, AMP performs file reputation scans and file analysis in order to detect malware in attachments.
In order to implement AMP, you must have a valid and active feature key for both File Reputation and File Analysis on your ESA. Visit System Administration> Feature Keys on the GUI, or use featurekeys on the CLI, in order to verify the feature keys.
In order to enable the service from the GUI, navigate to Security Services > File Reputation and Analysis. From the CLI, you can run ampconfig. Submit and commit your changes to the configuration.
Incoming Mail Policies
Once you have enabled the service, you must have this service tied to an incoming mail policy.
Navigate to Mail Policies > Incoming Mail Policies.
Select your Default Policy or preconfigured policy as needed. The Advanced Malware Protection column on the Incoming Mail Polices page displays.
Select the Disabled link for the column, and Enable File Reputation and Enable File Analysis on the options page.
You can make any further configuration enhancements to message scanning, actions for un-scannable attachments, and actions for positively identified messages, as needed.
Submit and commit your changes to the configuration.
At this time, your incoming mail policy is enabled to scan and detect malware. You must have a true malware sample with which to test. If you need valid examples, visit the European Institute for Computer Antivirus Research (eicar) downloads page.
Caution: Cisco cannot be held responsible when these files or your AV scanner in combination with these files cause any damage to your computer or network environment. YOU DOWNLOAD THESE FILES AT YOUR OWN RISK. Download these files only if you are sufficiently secure in the usage of your AV scanner, computer settings, and network environment. This information is provided as a courtesy for test and reproduction purposes.
With the use of a valid a preconfigured email account, send the attachment through your ESA and normal processing. You can use the CLI of the ESA, and tail mail_logs in order to monitor the mail as it processes. You will see the Message ID (MID) listed in the mail logs. Output similar to this displays:
Also from the GUI, when you use Message Tracking and the Advanced drop-down menu, you can choose to search for an Advanced Malware Protection Positive message directly:
Advanced Malware Protection Reports
From the ESA GUI, you also see report tracking for positively identified messages through AMP. Navigate to Monitor > Advanced Malware Protection and modify the time range as needed. You now see similar, with the previous examples for input:
If you do not see a known, true malware file that is positively scanned by AMP, review the mail logs in order to assure that another service did not take action on the message and/or attachment before AMP scanned the message.
From the earlier example used, when Sophos Anti-virus is enabled, it actually catches and takes action on the attachment:
The Sophos Anti-virus configuration settings on the incoming mail policy are set to drop for virus infected messages. In this instance, AMP is never reached to scan or take action on the attachment.
This is not always the case. A review of the mail logs and Message IDs (MIDs) might be needed in order to assure that another service OR a content/message filter did not take action against the MID before AMP processing and an action was reached.