File Policies and Advanced Malware Protection

The following topics provide an overview of file control, file policies, file rules, AMP cloud connections, and dynamic analysis connections.

About File Policies and Advanced Malware Protection

File policies can optionally be configured to detect and block malware.

Advanced Malware Protection (AMP) for Firepower can detect, capture, track, analyze, log, and optionally block the transmission of malware in network traffic. In the Firepower Management Center web interface, this feature is called AMP for Networks, formerly called AMP for Firepower. AMP identifies malware using threat data from the Cisco cloud and managed devices deployed inline.

You implement Advanced Malware Protection using file policies, which you associate with access control rules that handle network traffic as part of your overall access control configuration.

When the system detects malware on your network, it generates file and malware events. To analyze file and malware event data, see File/Malware Events and Network File Trajectory.

Malware Protection Methods

The Firepower system applies several methods of file inspection and analysis to determine whether a file contains malware.

Depending on the options you enable in a file rule, the system inspects files using the following tools, in order:

Spero Analysis and AMP Cloud Lookup
Local Malware Analysis
Dynamic Analysis

For a comparison of these tools, see Comparison of Malware Protection Methods.

(You can also, if you choose, block all files based on their file type. For more information, see Block All Files by Type.)

See also information about Cisco's AMP for Endpoints product at (Optional) Malware Protection with AMP for Endpoints and subtopics.

Spero Analysis

Spero analysis examines structural characteristics such as metadata and header information in executable files. After generating a Spero signature based on this information, if the file is an eligible executable file, the device submits it to the Spero heuristic engine in the AMP cloud. Based on the Spero signature, the Spero engine determines whether the file is malware. You can also configure rules to submit files for Spero analysis without also submitting them to the AMP cloud.

Note that you cannot manually submit files for Spero analysis.

AMP Cloud Lookup

For files that are eligible for assessment using Advanced Malware Protection, the Firepower Management Center performs a malware cloud lookup, querying the AMP cloud for the file's disposition based on its SHA-256 hash value.

To improve performance, the system caches dispositions returned by the cloud and uses the cached disposition for known files rather than querying the AMP cloud. For more information about this cache, see Cached Disposition Longevity.

Local Malware Analysis

Local malware analysis allows a managed device to locally inspect executables, PDFs, office documents, and other types of files for the most common types of malware, using a detection rule set provided by the Cisco Talos Security Intelligence and Research Group (Talos). Because local analysis does not query the AMP cloud, and does not run the file, local malware analysis saves time and system resources.

If the system identifies malware through local malware analysis, it updates the existing file disposition from Unknown to Malware. The system then generates a new malware event. If the system does not identify malware, it does not update the file disposition from Unknown to Clean. After the system runs local malware analysis, it caches file information such as SHA-256 hash value, timestamp, and disposition, so that if detected again within a certain period of time, the system can identify malware without additional analysis. For more information about the cache, see Cached Disposition Longevity.

Local malware analysis does not require establishing communications with the Cisco Threat Grid cloud. However, you must configure communications with the cloud to submit files preclassified as malware for dynamic analysis, and to download updates to the local malware analysis ruleset.

Cached Disposition Longevity

Dispositions returned from an AMP cloud query, associated threat scores, and dispositions assigned by local malware analysis, have a time-to-live (TTL) value. After a disposition has been held for the duration specified in the TTL value without update, the system purges the cached information. Dispositions and associated threat scores have the following TTL values:

Clean — 4 hours
Unknown — 1 hour
Malware — 1 hour

If a query against the cache identifies a cached disposition that timed out, the system re-queries the local malware analysis database and the AMP cloud for a new disposition.

Dynamic Analysis

You can configure your file policy to automatically submit files for dynamic analysis using Cisco Threat Grid (formerly AMP Threat Grid), Cisco’s file analysis and threat intelligence platform.

Devices submit eligible files to Cisco Threat Grid (either the public cloud or to an on-premises appliance, whichever you have specified) regardless of whether the device stores the file.

Cisco Threat Grid runs the file in a sandbox environment, analyzes the file's behavior to determine whether the file is malicious, and returns a threat score that indicates the likelihood that a file contains malware. From the threat score, you can view a dynamic analysis summary report with the reasons for the assigned threat score. You can also look in Cisco Threat Grid to view detailed reports for files that your organization submitted, as well as scrubbed reports with limited data for files that your organization did not submit.

You can optionally configure the file policy to override AMP cloud file dispositions based on the threat score.

For more information about Cisco Cisco Threat Grid, see https://www.cisco.com/c/en/us/products/security/threat-grid/index.html

To configure your system to perform dynamic analysis, see the topics under Dynamic Analysis Connections.

Which Files Are Eligible for Dynamic Analysis?

A file's eligibility for dynamic analysis depends on:

the file type
the file size
the file rule's action

Additionally:

The system submits only files that match the file rules you configure.
The file must have a malware cloud lookup disposition of Unknown or Unavailable at the time the file is sent for analysis.
The system must preclassify the file as potential malware.

Block All Files by Type

If your organization wants to block not only the transmission of malware files, but all files of a specific type, regardless of whether the files contain malware, you can do so.

File control is supported for all file types where the system can detect malware, plus many additional file types. These file types are grouped into basic categories, such as multimedia (swf, mp3), executables (exe, torrent), and PDFs.

Blocking all files based on their type is not technically a malware protection feature; it does not require a Malware license and does not query the AMP cloud.

Comparison of Malware Protection Methods

The following table details the benefits and drawbacks of each type of file analysis, as well as the way each malware protection method determines a file's disposition.


Analysis Type	Benefit	Limitations	Malware Identification
Spero analysis	Structural analysis of executable files, submits Spero signature to the AMP Cloud for analysis	Less thorough than local malware analysis or dynamic analysis, only for executable files	Disposition changes from Unknown to Malware only on positive identification of malware.
Local malware analysis	Consumes fewer resources than dynamic analysis, and returns results more quickly, especially if the detected malware is common	Less thorough results than dynamic analysis	Disposition changes from Unknown to Malware only on positive identification of malware.
Dynamic analysis	Thorough analysis of unknown files using Cisco Threat Grid	Eligible files are uploaded to the public cloud or an on-premises appliance. It takes some time to complete analysis	Threat score determines maliciousness of a file. Disposition is based on the threat score threshold configured in the file policy.
Spero analysis and local malware analysis	Consumes fewer resources than configuring local malware analysis and dynamic analysis, while still using AMP cloud resources to identify malware	Less thorough than dynamic analysis, Spero analysis only for executable files	Disposition changes from Unknown to Malware only on positive identification of malware.
Spero analysis and dynamic analysis	Uses full capabilities of AMP cloud in submitting files and Spero signatures	Results obtained less quickly than if using local malware analysis	Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes based on configured threat score threshold in the file policy, and from Unknown to Malware if the Spero analysis identifies malware.
Local malware analysis and dynamic analysis	Thorough results in using both types of file analysis	Consumes more resources than either alone	Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes from Unknown to Malware if local malware analysis identifies malware, or based on configured threat score threshold in the file policy.
Spero analysis, local malware analysis and dynamic analysis	Most thorough results	Consumes most resources in running all three types of file analysis	Threat score changes based on dynamic analysis results for files preclassified as possible malware. Disposition changes from Unknown to Malware if Spero analysis or local malware analysis identifies malware, or based on configured threat score threshold in the file policy.
(Block transmission of all files of a specified file type)	Does not require a Malware license (This option is not technically a malware protection option.)	Legitimate files will also be blocked	(No analysis is performed.)

Note

Preclassification does not itself determine a file's disposition; it is merely one of the factors that determine whether a file is eligible for Dynamic Analysis.

License Requirements for File and Malware Policies


To Do This	License Required	File Rule Action
Block or allow all files of a particular type (for example, block all .exe files)	Protection	Allow, Block, Block with Reset
Selectively allow or block files based on a judgment that it contains or is likely to contain malware	Malware	Malware Cloud Lookup, Block Malware
Store files	Malware	Any file rule action with Store Files selected

For details about Malware licenses, see:

Malware Licenses for Classic Devices

How to Configure Malware Protection

This topic summarizes the steps you must take to set up your Firepower system to protect your network from malicious software.

Procedure

Step 1	Plan and Deploy Products and Licenses for Malware Protection
Step 2	Configure Policies to Detect and Handle Malware
Step 3	Arrange Ongoing Maintenance and Monitoring of Malware Protection

What to do next

(Optional) Deploy and integrate Cisco's AMP for Endpoints product to further enhance detection of malware in your network. See (Optional) Malware Protection with AMP for Endpoints and subtopics.

Plan and Deploy Products and Licenses for Malware Protection

This procedure is the first set of steps in the complete process for configuring your system to provide malware protection.

Procedure

Step 1	Purchase and install the necessary Malware licenses for your Firepower system. See License Requirements for File and Malware Policies and Licensing the Firepower System.
Step 2	Understand how file policies and malware protection fit into your access control plan. See the chapter Access Control Using Intrusion and File Policies.
Step 3	Understand the file analysis tools that are available for malware protection. See Malware Protection Methods and subtopics.
Step 4	Determine whether you will use public clouds or private (on-premises) clouds for malware file analysis and dynamic analysis. See Cloud Connections for Malware Protection and subtopics.
Step 5	If you will use private (on-premises) Cisco AMP clouds: Purchase, deploy, and test those products. For information, contact your Cisco sales representative or authorized reseller.
Step 6	Configure your firewall to allow communications with your chosen clouds. See Security, Internet Access, and Communication Ports.
Step 7	Configure connections between the FMC and the AMP clouds (public or private). For the AMP cloud, see Change AMP Options. If you deployed an on-premises Cisco Threat Grid appliance, see Connect to an On-Premises Dynamic Analysis Appliance. (Access to the public Threat Grid cloud does not require configuration.)

What to do next

Continue with the remaining steps in How to Configure Malware Protection.

Configure Policies to Detect and Handle Malware

Before you begin

Complete the tasks up to this point in the malware protection workflow:

See How to Configure Malware Protection.

Procedure

Step 1

Configure file policies:

Understand file policy and file rule restrictions.

See File Policy and File Rule Guidelines and Limitations and subtopics.
Create a file policy.

See Creating a File Policy.
Create rules within your file policy.

See File Rules and subtopics.

Step 2

Add your file policies to your access control configuration:

Understand guidelines for file policies in access control policies. (These are different from the file rule and file policy guidelines above.)

Review File and Intrusion Inspection Order.
Associate the file policy with an access control policy.

See Configuring an Access Control Rule to Perform Malware Protection
If you have not yet done so, configure network discovery policies so that file and malware events can be associated with hosts on your network.

(Do not simply turn on network discovery; you must configure it to discover hosts on your network to build a network map of your organization.)

See Network Discovery Policies and subtopics.
Assign the access control policy to managed devices.

See Setting Target Devices for an Access Control Policy.
Deploy the access control policy to managed devices.

See Deploy Configuration Changes.

Your system is now configured to detect and handle malware.

Step 3

Test your system to be sure it is processing malicious files as you expect it to.

What to do next

In order to ensure ongoing effectiveness of your deployment, see Arrange Ongoing Maintenance and Monitoring of Malware Protection.

Arrange Ongoing Maintenance and Monitoring of Malware Protection

Ongoing maintenance is essential for protecting your network.

Before you begin

Configure your system to protect your network from malware.

See How to Configure Malware Protection and referenced procedures.

Procedure

Step 1

Ensure that your system always has the most current and effective protection.

See Maintain Your System: Update File Types Eligible for Dynamic Analysis.

Step 2

Configure alerts for malware-related events and health monitoring.

See Configuring AMP for Networks Alerting and information in Health Monitoring about the following modules:

Local Malware Analysis
Security Intelligence
Intrusion and File Event Rate
AMP for Firepower Status
AMP for Endpoints Status

What to do next

Understand how to use file and malware events to research potential issues.

See File/Malware Events and Network File Trajectory.

Cloud Connections for Malware Protection

Connections to public or private clouds are required in order to protect your network from malware.

AMP Clouds

The Advanced Malware Protection (AMP) cloud is a Cisco-hosted server that uses big data analytics and continuous analysis to provide intelligence that the system uses to detect and block malware on your network.

The AMP cloud provides dispositions for possible malware detected in network traffic by managed devices, as well as data updates for local malware analysis and file pre-classification.

If your organization has deployed AMP for Endpoints and configured Firepower to import its data, the system imports this data from the AMP cloud, including scan records, malware detections, quarantines, and indications of compromise (IOC).

Cisco offers the following options for obtaining data from the Cisco cloud about known malware threats:

AMP public cloud— Your Firepower Management Center communicates directly with the public Cisco cloud.
An AMP private cloud is deployed on your network and acts as a compressed, on-premises AMP cloud.

For details, see Cisco AMP Private Cloud.

Dynamic Analysis Cloud

Cisco Threat Grid cloud—Processes eligible files that you send to the cloud for dynamic analysis, and provides threat scores and dynamic analysis reports.
On-premises Cisco Threat Grid appliance—If your organization's security policy does not allow the Firepower System to send files outside of your network, you can deploy an on-premises appliance. This appliance does not contact the public Cisco Threat Grid cloud.

For more information, see Dynamic Analysis On-Premises Appliance (Cisco Threat Grid).

Configure Connections to AMP and Threat Grid Clouds

AMP Cloud Connection Configurations
Dynamic Analysis Connections

AMP Cloud Connection Configurations

The following topics describe AMP cloud connection configurations for different scenarios:

Choose an AMP Cloud
Connecting to an AMP Private Cloud
Integrate Firepower and AMP for Endpoints

The following topics are also relevant:

Cisco AMP Private Cloud
Requirements and Guidelines for AMP Cloud Connections
Managing Connections to the AMP Cloud (Public or Private)

Requirements and Guidelines for AMP Cloud Connections

Requirements for AMP Cloud Connections

To ensure your FMC can communicate with the AMP cloud, see the topics under Security, Internet Access, and Communication Ports.

To use the legacy port for AMP communications, see Communication Port Requirements.

AMP Cloud Connections and Multitenancy

In a multidomain deployment, you configure the AMP for Networks connection at the Global level only. Each Firepower Management Center can have only one AMP for Networks connection.

Choose an AMP Cloud


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware	Malware	Any	Any	Admin

By default, a connection to the United States (US) AMP public cloud is configured and enabled for your Firepower system. (This connection appears in the web interface as AMP for Networks and sometimes AMP for Firepower.) You cannot delete or disable an AMP for Networks cloud connection, but you can switch between different geographical AMP clouds, or configure an AMP private cloud connection.

Before you begin

If you will use an AMP private cloud, see Connecting to an AMP Private Cloud instead of this topic.
Unless Firepower is integrated with AMP for Endpoints, you can configure only one AMP cloud connection. This connection is labeled AMP for Networks or AMP for Firepower.
If you have deployed AMP for Endpoints and you want to add one or more AMP clouds to integrate that application with Firepower, see Integrate Firepower and AMP for Endpoints.
See Requirements and Guidelines for AMP Cloud Connections.

Procedure

Step 1	Choose AMP > AMP Management.
Step 2	Click the pencil icon to edit the existing cloud connection.
Step 3	From the Cloud Name drop-down list, choose the regional cloud nearest to your Firepower Management Center.
Step 4	Click Save.

What to do next

(Optional) Change AMP Options.

Cisco AMP Private Cloud

The Firepower Management Center must connect to the AMP cloud for disposition queries for files detected in network traffic and receipt of retrospective malware events. This cloud can be public or private.

Note

The AMP private cloud does not perform dynamic analysis, nor does it support anonymized retrieval of threat intelligence for other features that rely on Cisco Collective Security Intelligence (CSI), such as URL and Security Intelligence filtering.

For information about AMP private cloud (sometimes referred to as "AMPv"), see https://www.cisco.com/c/en/us/products/security/fireamp-private-cloud-virtual-appliance/index.html.

Connecting to an AMP Private Cloud


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware (AMP for Networks) Any (AMP for Endpoints)	Malware (AMP for Networks) Any (AMP for Endpoints)	Any	Any	Admin

Before you begin

Configure your Cisco AMP private cloud or clouds according to the directions in the documentation for that product. During configuration, note the private cloud host name. You will need this host name in order to to configure the connection on the Firepower Management Center.
Make sure the Firepower Management Center can communicate with the AMP private cloud, and confirm that the private cloud has internet access so it can communicate with the public AMP cloud. See the topics under Security, Internet Access, and Communication Ports.
Unless your deployment is integrated with AMP for Endpoints, each Firepower Management Center can have only one AMP cloud connection. This connection is labeled AMP for Networks or AMP for Firepower.

If you integrate with AMP for Endpoints, you can configure multiple AMP for Endpoints cloud connections.

Procedure

Step 1	Choose AMP > AMP Management.
Step 2	Click Create AMP Cloud Connection.
Step 3	From the Cloud Name drop-down list, choose Private Cloud.
Step 4	Enter a Name. This information appears in malware events that are generated or transmitted by AMP private cloud.
Step 5	In the Host field, enter the private cloud host name that you configured when you set up the private cloud.
Step 6	Click Browse next to the Certificate Upload Path field to browse to the location of a valid TLS or SSL encryption certificate for the private cloud. For more information, see the AMP private cloud documentation.
Step 7	If you want to use this private cloud for both AMP for Networks and AMP for Endpoints, select the Use for AMP for Firepower check box. If you configured a different private cloud to handle AMP for Networks communications, you can clear this check box; if this is your only AMP private cloud connection, you cannot. In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection.
Step 8	To communicate with the AMP private cloud using a proxy, check the Use Proxy for Connection check box.
Step 9	Click Register, confirm that you want to disable existing direct connections to the AMP cloud, and finally confirm that you want to continue to the AMP private cloud management console to complete registration.
Step 10	Log into the management console and complete the registration process. For further instructions, see the AMP private cloud documentation.

Managing Connections to the AMP Cloud (Public or Private)


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware (AMP for Networks) Any (AMP for Endpoints)	Malware (AMP for Networks) Any (AMP for Endpoints)	Any	Any	Admin

Use the Firepower Management Center to manage connections to public and private AMP clouds used for AMP for Networks or AMP for Endpoints or both.

You can delete a connection to a public or private AMP cloud if you no longer want to receive malware-related information from the cloud. Note that deregistering a connection using the AMP for Endpoints or AMP private cloud management console does not remove the connection from the system. Deregistered connections display a failed state on the Firepower Management Center web interface.

You can also temporarily disable a connection. When you reenable a cloud connection, the cloud resumes sending data to the system, including queued data from the disabled period.

Caution

For disabled connections, the public or private AMP cloud can store malware events, indications of compromise, and so on until you re-enable the connection. In rare cases—for example, with a very high event rate or a long-term disabled connection—the cloud may not be able to store all information generated while the connection is disabled.

In a multidomain deployment, the system displays connections created in the current domain, which you can manage. It also displays connections created in ancestor domains, which you cannot manage. To manage connections in a lower domain, switch to that domain. Each Firepower Management Center can have only one AMP for Networks connection, which belongs to the Global domain.

Procedure

Step 1

Select AMP > AMP Management.

Step 2

Manage your AMP cloud connections:

Delete — Click the delete icon (), then confirm your choice.
Enable or Disable — Click the slider, then confirm your choice.

Change AMP Options


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware	Malware	Any	Any	Admin

Procedure

Step 1

Choose System > Integration.

Step 2

Click the Cisco CSI tab.

Step 3

Select options:

Table 1. AMP for Networks Options
Option	Description
Enable Automatic Local Malware Detection Updates	The local malware detection engine statically analyzes and preclassifies files using signatures provided by Cisco. If you enable this option, the Firepower Management Center checks for signature updates once every 30 minutes.
Share URI from Malware Events with Cisco	The system can send information about the files detected in network traffic to the AMP cloud. This information includes URI information associated with detected files and their SHA-256 hash values. Although sharing is opt-in, transmitting this information to Cisco helps future efforts to identify and track malware.
Use Legacy Port 32137 for AMP for Networks	By default, Firepower uses port 443/HTTPS to communicate with the AMP public or private cloud to obtain file disposition data. This option allows the system to use port 32137. If you updated from a previous version of the system, this option may be enabled. This option will be greyed out if the FMC is configured with Proxy settings.

Step 4

Click Save.

Dynamic Analysis Connections

Requirements for Dynamic Analysis

With the appropriate license, the Firepower system automatically has access to the Cisco Threat Grid public cloud.

Dynamic analysis requires that managed devices have direct or proxied access to the Cisco Threat Grid public cloud or an on-premises Cisco Threat Grid appliance on port 443.

If you will connect to an on-premises Threat Grid appliance, see also the prerequisites in Connect to an On-Premises Dynamic Analysis Appliance.

Viewing the Default Dynamic Analysis Connection


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware	Malware	Any	Global only	Admin/Access Admin/Network Admin

By default, the Firepower Management Center can connect to the public Cisco Threat Grid cloud for file submission and report retrieval. You can neither configure nor delete this connection.

Procedure

Step 1

Choose AMP > Dynamic Analysis Connections.

Step 2

Click the edit icon ().

Dynamic Analysis On-Premises Appliance (Cisco Threat Grid)

If your organization has privacy or security concerns around submitting files to the public Cisco Threat Grid cloud, you can deploy an on-premises Cisco Threat Grid appliance. Like the public cloud, the on-premises appliance runs eligible files in a sandbox environment, and returns a threat score and dynamic analysis report to the Firepower System. However, the on-premises appliance does not communicate with the public cloud, or any other system external to your network.

For more information about on-premises Cisco Threat Grid appliances, see https://www.cisco.com/c/en/us/products/security/threat-grid/index.html.

Connect to an On-Premises Dynamic Analysis Appliance


Smart License	Classic License	Supported Devices	Supported Domains	Access
Malware	Malware	Any	Global only	Admin/Access Admin/Network Admin

If you install an on-premises Cisco Threat Grid appliance on your network, you can configure a dynamic analysis connection to submit files and retrieve reports from the appliance. When configuring the on-premises appliance dynamic analysis connection, you register the Firepower Management Center to the on-premises appliance.

Before you begin

Set up your on-premises Cisco Threat Grid appliance; see the Cisco Threat Grid Appliance Setup and Configuration Guide.

Documentation for this appliance is available from https://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/tsd-products-support-series-home.html.
Download the public key certificate from the Cisco Threat Grid appliance to use for logins to the on-premises appliance; see the Cisco Threat Grid Appliance Administrator's Guide.
Configure a proxy if you want to connect to the on-premises appliance using a proxy; see Configure Firepower Management Center Management Interfaces.
Managed devices must have direct or proxied access to the Cisco Threat Grid appliance on port 443.

Procedure

Step 1	Choose AMP > Dynamic Analysis Connections.
Step 2	Click Add New Connection.
Step 3	Enter a Name.
Step 4	Enter a Host URL.
Step 5	Next to Certificate Upload, click Browse to upload the public key certificate you want to use to establish connections with the on-premises appliance.
Step 6	If you want to use a configured proxy to establish the connection, select Use Proxy When Available.
Step 7	Click Register.
Step 8	Click Yes to display the on-premises Cisco Threat Grid appliance login page.
Step 9	Enter your username and password to the on-premises Cisco Threat Grid appliance.
Step 10	Click Sign in.
Step 11	You have the following options: If you previously registered the Firepower Management Center to the on-premises appliance, click Return. If you did not register the Firepower Management Center, click Activate.

Maintain Your System: Update File Types Eligible for Dynamic Analysis


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Global only	Admin

The list of file types eligible for Dynamic Analysis is determined by the vulnerability database (VDB), which is updated periodically (but no more than once per day.)

To ensure that your system has the current list:

Procedure

Step 1

Do one of the following:

(Recommended) See Vulnerability Database Update Automation
Regularly check for new VDB updates, and Update the Vulnerability Database (VDB) Manually when needed.

If you choose this option, we recommend that you schedule regular reminders to do this.

Step 2

If your file policies specify individual file types instead of the Dynamic Analysis Capable file type category, update your file policies to use the newly supported file types.

Step 3

If the list of eligible file types changes, deploy to managed devices.

Cisco Security Intelligence Clouds

The Firepower System uses Cisco’s Collective Security Intelligence (CSI) cloud to obtain the threat intelligence data it uses to assess risk for files and to obtain URL category and reputation. With the correct licenses, you can specify communications options for the AMP for Networks and URL Filtering features.

The FMC communicates with resources in the Cisco cloud for the following features:

For Advanced Malware Protection, see: Change AMP Options
For URL filtering, see:
- URL Filtering Options
- Enable URL Filtering Using Category and Reputation

File Policies and File Rules

File Policy and File Rule Guidelines and Limitations

File Rule Configuration Guidelines and Limitations

A rule configured to block files in a passive deployment does not block matching files. Because the connection continues to transmit the file, if you configure the rule to log the beginning of the connection, you may see multiple events logged for this connection.
A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed" by a previous rule.
The file types supported for dynamic analysis are a subset of the file types supported for other types of analysis. To view the file types supported for each type of analysis, navigate to the file rule configuration page, select the Block Malware action, and select the checkboxes of interest.

To ensure that the system examines all file types, create separate rules (within the same policy) for dynamic analysis and for other types of analysis.
If a file rule is configured with a Malware Cloud Lookup or Block Malware action and the Firepower Management Center cannot establish connectivity with the AMP cloud, the system cannot perform any configured rule action options until connectivity is restored.
Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.
If you are monitoring high volumes of traffic, do not store all captured files, or submit all captured files for dynamic analysis. Doing so can negatively impact system performance.
You cannot perform malware analysis on all file types detected by the system. After you select values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the system constrains the list of file types.

File Detection Notes and Limitations

If a file matches a rule with an application protocol condition, file event generation occurs after the system successfully identifies a file’s application protocol. Unidentified files do not generate file events.
FTP transfers commands and data over different channels. In a passive or inline tap mode deployment, the traffic from an FTP data session and its control session may not be load-balanced to the same internal resource.
If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session exceeds 1024, file events from the session may not reflect the correct file names for files that were detected after the file name buffer filled.
When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF newline character standard. Since Mac-based hosts use the carriage return (CR) character and Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client can modify the size of the file. Note that some mail clients default to newline conversion when processing an unrecognizable file type.
To detect ISO files, set the "Limit the number of bytes inspected when doing file type detection" option to a value greater than 36870, as described in File and Malware Inspection Performance and Storage Options.

File Blocking Notes and Limitations

If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not be blocked by a Block Malware rule or the custom detection list. The system waits to block the file until the entire file has been received, as indicated by the end-of-file marker, and blocks the file after the marker is detected.
If the end-of-file marker for an FTP file transfer is transmitted separately from the final data segment, the marker will be blocked and the FTP client will indicate that the file transfer failed, but the file will actually completely transfer to disk.
File rules with Block Files and Block Malware actions block automatic resumption of file download via HTTP by blocking new sessions with the same file, URL, server, and client application detected for 24 hours after the initial file transfer attempt occurs.
In rare cases, if traffic from an HTTP upload session is out of order, the system cannot reassemble the traffic correctly and therefore will not block it or generate a file event.
If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with a Block Files rule, you may see a file on the destination host. However, the file is unusable because it is blocked after the download starts, resulting in an incomplete file transfer.
If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file transfer), the system does not inspect files transferred in an established TCP or SMB session started before you deploy an access control policy invoking the file policy so those files will not be detected or blocked.

File Policy General Guidelines and Limitations

You cannot use a file policy to inspect traffic handled by the access control default action.
For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-use file policy, the web interface tells you how many access control policies use the file policy. In either case, you can click the text to jump to the Access Control Policies page.
For an access control policy using a file policy with Block Malware rules for FTP, if you set the default action to an intrusion policy with Drop when Inline disabled, the system generates events for detected files or malware matching the rules, but does not drop the files. To block FTP file transfers and use an intrusion policy as the default action for the access control policy where you select the file policy, you must select an intrusion policy with Drop when Inline enabled.
Based on your configuration, you can either inspect a file the first time the system detects it, and wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud lookup result.

File Policies

A file policy is a set of configurations that the system uses to perform malware protection and file control, as part of your overall access control configuration. This association ensures that before the system passes a file in traffic that matches an access control rule’s conditions, it first inspects the file. Consider the following diagram of a simple access control policy in an inline deployment.

Diagram illustrating the flow of traffic in a simple access control policy that uses file policies.

The policy has two access control rules, both of which use the Allow action and are associated with file policies. The policy’s default action is also to allow traffic, but without file policy inspection. In this scenario, traffic is handled as follows:

Traffic that matches Rule 1 is inspected by File Policy A.
Traffic that does not match Rule 1 is evaluated against Rule 2. Traffic that matches Rule 2 is inspected by File Policy B.
Traffic that does not match either rule is allowed; you cannot associate a file policy with the default action.

You can associate a single file policy with an access control rule whose action is Allow, Interactive Block, or Interactive Block with reset. The system then uses that file policy to inspect network traffic that meets the conditions of the access control rule.

By associating different file policies with different access control rules, you have granular control over how you identify and block files transmitted on your network.

Managing File Policies


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat (file control) Malware (AMP for Networks)	Protection (file control) Malware (AMP for Networks)	Any	Any	Admin/Access Admin

The File Policies page displays a list of existing file policies along with their last-modified dates. You can use this page to manage your file policies.

In a multidomain deployment, the system displays policies created in the current domain, which you can edit. It also displays policies created in ancestor domains, which you cannot edit. To view and edit policies created in a lower domain, switch to that domain.

Note

The system checks for updates to the list of file types eligible for dynamic analysis (no more than once a day). If the list of eligible file types changes, this constitutes a change in the file policy; any access control policy using the file policy is marked out-of-date if deployed to any devices. You must deploy policies before the updated file policy can take effect on the device. See Maintain Your System: Update File Types Eligible for Dynamic Analysis.

Procedure

Step 1

Select Policies > Access Control > Malware & File .

Step 2

Manage your file policies:

Compare—Click Compare Policies; see Comparing Policies.
Create — To create a file policy, click New File Policy and proceed as described in Creating a File Policy.
Copy — To copy a file policy, click the copy icon ().

If a view icon () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Delete — If you want to delete a file policy, click the delete icon (), then click Yes and OK as prompted.

If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Deploy—Click Deploy; see Deploy Configuration Changes.
Edit — If you want to modify an existing file policy, click the edit icon ().
Report—Click the report icon (); see Generating Current Policy Reports.

Creating a File Policy


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat (file control) Malware (AMP for Networks)	Protection (file control) Malware (AMP for Networks)	Any	Any	Admin/Access Admin

Before you begin

If you are configuring policies for malware protection, see Configure Policies to Detect and Handle Malware.

Procedure

Step 1

Select Policies > Access Control > Malware & File .

Tip

To make a copy of an existing file policy, click the copy icon (), then type a unique name for the new policy in the dialog box that appears. You can then modify the copy.

Step 2

Click New File Policy.

Step 3

Enter a Name and optional Description for your new policy.

Step 4

Click Save.

Step 5

Add one or more rules to the file policy as described in Creating File Rules.

Step 6

Optionally, select the Advanced tab and configure advanced options as described in Advanced and Archive File Inspection Options.

Step 7

Save the file policy.

What to do next

If you are configuring policies for malware protection, return to Configure Policies to Detect and Handle Malware.
Otherwise:
- Add the file policy to an access control rule as described in Access Control Rule Configuration to Perform Malware Protection.
- Deploy configuration changes; see Deploy Configuration Changes.

Advanced and Archive File Inspection Options

The Advanced tab in the file policy editor has the following general options:

First Time File Analysis—Select this option to store and locally analyze first-seen (Unknown) files while the AMP cloud disposition is pending. The file must match a rule configured to perform a malware cloud lookup and Spero, local malware, or dynamic analysis. Deselect this option to conserve storage and processing resources.If you deselect this option, files detected for the first time are marked with an Unknown disposition.
Enable Custom Detection List—Block files on the custom detection list.
Enable Clean List—Allow files on the clean list.
Override AMP Cloud Disposition Based upon Threat Score—Set a threshold threat score; files with scores equal or worse than the threshold are considered malware.

If you select lower threshold values, you increase the number of files treated as malware. Depending on the action selected in your file policy, this can result in an increase of blocked files.

The Advanced tab in the file policy editor has the following archive file inspection options:

Inspect Archives—Enables inspection of the contents of archive files, for archive files as large as the Maximum file size to store advanced access control setting.

Caution

Enabling or disabling Inspect Archives restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Block Encrypted Archives—Blocks archive files that have encrypted contents.
Block Uninspectable Archives—Blocks archive files with contents that the system is unable to inspect for reasons other than encryption. This usually applies to corrupted files, or those that exceed your specified maximum archive depth.
Max Archive Depth—Blocks nested archive files that exceed the specified depth. The top-level archive file is not considered in this count; depth begins at 1 with the first nested file .

Archive Files

Archive files are files that contain other files, such as .zip or .rar files.

If any individual file in an archive matches a file rule with a block action, the system blocks the entire archive, not just the individual file.

For details about options for archive file inspection, see Advanced and Archive File Inspection Options.

Archive Files That Can Be Inspected

File types

A complete list of inspectable archive file types appears on the file rule configuration page. To view that page, see Creating File Rules.

Contained files that can be inspected appears in the same page.
File size

You can inspect archive files as large as the Maximum file size to store file policy advanced access control setting.
Nested archives

Archive files can contain other archive files, which can in turn contain archive files. The level at which a file is nested is its archive file depth. Note that the top-level archive file is not included in the depth count; depth begins at 1 with the first nested file.

The system can inspect up to three levels of nested files beneath the outermost archive file (level 0). You can configure your file policy to block archive files that exceed that depth (or a lower maximum depth that you specify).

If you choose not to block files that exceed the maximum archive file depth of 3, when archive files that contain some extractable contents and some contents nested at a depth of 3 or greater appear in monitored traffic, the system examines and reports data only for the files it was able to inspect.

All features applicable to uncompressed files (such as dynamic analysis and file storage) are available for nested files inside archive files.
Encrypted files

You can configure the system to block archives whose contents are encrypted or otherwise cannot be inspected.
Archives that are not inspected

If traffic that contains an archive file is blacklisted or whitelisted by Security Intelligence, or if the top-level archive file’s SHA-256 value is on the custom detection list, the system does not inspect the contents of the archive file. If a nested file is blacklisted, the entire archive is blocked; however, if a nested file is whitelisted, the archive is not automatically passed (depending on any other nested files and characteristics).

Archive File Dispositions

Archive file dispositions are based on the dispositions assigned to the files inside the archive. All archives that contain identified malware files receive a disposition of Malware. Archives without identified malware files receive a disposition of Unknown if they contain any unknown files, and a disposition of Clean if they contain only clean files.

Table 2. Archive File Disposition by Contents
Archive File Disposition	Number of Unknown Files	Number of Clean Files	Number of Malware Files
`Unknown`	1 or more	Any	0
`Clean`	0	1 or more	0
`Malware`	Any	Any	1 or more

Archive files, like other files, may have dispositions of Custom Detection or Unavailable if the conditions for those dispositions apply.

Viewing Archive Contents and Details

If your file policy is configured to inspect archive file contents, you can use the context menu in a table on pages under the Analysis > Files menu, and the network file trajectory viewer to view information about the files inside an archive when the archive file appears in a file event, malware event, or as a captured file.

All file contents of the archive are listed in table form, with a short summary of their relevant information: name, SHA-256 hash value, type, category, and archive depth. A network file trajectory icon appears by each file, which you can click to view further information about that specific file.

Override File Disposition Using Custom Lists

If a file has a disposition in the AMP cloud that you know to be incorrect, you can add the file’s SHA-256 value to a file list that overrides the disposition from the cloud:

To treat a file as if the AMP cloud assigned a clean disposition, add the file to the clean list.
To treat a file as if the AMP cloud assigned a malware disposition, add the file to the custom detection list.

On subsequent detection, the device either allows or blocks the file without reevaluating the file's disposition. You can use the clean list or custom detection list per file policy.

Note

To calculate a file's SHA-256 value, you must configure a rule in the file policy to either perform a malware cloud lookup or block malware on matching files.

For complete information about using file lists in Firepower, see File Lists.

Editing a File Policy


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat (file control) Malware (AMP for Networks)	Protection (file control) Malware (AMP for Networks)	Any	Any	Admin/Access Admin

Procedure

Step 1

Select Policies > Access Control > Malware & File .

Step 2

Click the edit icon () next to the file policy you want to edit. If a view icon () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 3

You have the following options:

Add a file rule by selecting Add File Rule. For more information, see File Rules.
Edit an existing file rule by clicking the edit icon () next to the rule you want to edit.
Configure advanced options as described in Advanced and Archive File Inspection Options.

Note

The file policy editor displays how many access control policies use the file policy you are currently editing. You can click the notification to display a list of the parent policies and, optionally, continue to the Access Control Policies page.

What to do next

Deploy configuration changes; see Deploy Configuration Changes.

File Rules

A file policy, like its parent access control policy, contains rules that determine how the system handles files that match the conditions of each rule. You can configure separate file rules to take different actions for different file types, application protocols, or directions of transfer.

For example, when a file matches a rule, the rule can:

allow or block files based on simple file type matching
block files based on disposition
store captured files to the device
submit captured files for local malware, Spero, or dynamic analysis

In addition, the file policy can:

automatically treat a file as if it is clean or malware based on entries in the clean list or custom detection list
treat a file as if it is malware if the file’s threat score exceeds a configurable threshold
inspect the contents of archive files (such as .zip or .rar)
block archive files whose contents are encrypted, nested beyond a specified maximum archive depth, or otherwise uninspectable

File Rule Components

Table 3. File Rule Components

File Rule Component

Description

application protocol

The system can detect and inspect files transmitted via FTP, HTTP, SMTP, IMAP, POP3, and NetBIOS-ssn (SMB). Any, the default, detects files in HTTP, SMTP, IMAP, POP3, FTP, and NetBIOS-ssn (SMB) traffic. To improve performance, you can restrict file detection to only one of those application protocols on a per-file rule basis.

direction of transfer

You can inspect incoming FTP, HTTP, IMAP, POP3, and NetBIOS-ssn (SMB) traffic for downloaded files; you can inspect outgoing FTP, HTTP, SMTP, and NetBIOS-ssn (SMB) traffic for uploaded files.

Tip

Use Any to detect files over multiple application protocols, regardless of whether users are sending or receiving.

file categories and types

The system can detect various types of files. These file types are grouped into basic categories, including multimedia (swf, mp3), executables (exe, torrent), and PDFs. You can configure file rules that detect individual file types, or on entire categories of file types.

For example, you could block all multimedia files, or just ShockWave Flash (swf) files. Or, you could configure the system to alert you when a user downloads a BitTorrent (torrent) file.

For a list of file types the system can inspect, select Policies > Access Control > Malware & File, create a temporary new file policy, then click Add Rule. Select a file type category and the file types that the system can inspect appear in the File Types list.

Note

Frequently triggered file rules can affect system performance. For example, detecting multimedia files in HTTP traffic (YouTube, for example, transmits significant Flash content) could generate an overwhelming number of events.

file rule action

A file rule’s action determines how the system handles traffic that matches the conditions of the rule.

Depending on the selected action, you can configure whether the system stores the file or performs Spero, local malware, or dynamic analysis on a file. If you select a Block action, you can also configure whether the system also resets the blocked connection.

For descriptions of these actions and options, see File Rule Actions.

File rules are evaluated in rule-action, not numerical, order. For details, see File Rule Actions: Evaluation Order.

File Rule Actions

File rules give you granular control over which file types you want to log, block, or scan for malware. Each file rule has an associated action that determines how the system handles traffic that matches the conditions of the rule. To be effective, a file policy must contain one or more rules. You can use separate rules within a file policy to take different actions for different file types, application protocols, or directions of transfer.

File Rule Actions

Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission.
Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is blocked, and store captured files to the managed device.
Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their transmission.
Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files traversing your network contain malware, then block files that represent threats.

File Rule Action Options

Depending on the action you select, you have different options:


File Rule Action Option	Block Files capable?	Block Malware capable?	Detect Files capable?	Malware Cloud Lookup capable?
Spero Analysis* for MSEXE	no	yes, you can submit executable files	no	yes, you can submit executable files
Dynamic Analysis*	no	yes, you can submit executable files with Unknown file dispositions	no	yes, you can submit executable files with Unknown file dispositions
Capacity Handling	no	yes	no	yes
Local Malware Analysis*	no	yes	no	yes
Reset Connection	yes (recommended)	yes (recommended)	no	no
Store files	yes, you can store all matching file types	yes, you can store file types matching the file dispositions you select	yes, you can store all matching file types	yes, you can store file types matching the file dispositions you select

* For complete information about these options, see Malware Protection Methods and its subtopics.

Caution

Selecting Detect Files or Block Files, enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analysis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

File Rule Actions: Evaluation Order

A file policy will likely contain multiple rules with different actions for different situations. If more than one rule can apply to a particular situation, the evaluation order described in this topic applies. In general, simple blocking takes precedence over malware inspection and blocking, which takes precedence over simple detection and logging.

The order of precedence of file-rule actions is:

Block Files
Block Malware
Malware Cloud Lookup
Detect Files

Dynamic Analysis and Capacity Handling

Capacity handling allows you to temporarily store files that are otherwise eligible for dynamic analysis if the system is temporarily unable to submit files to the cloud, either because the device cannot communicate with the cloud or because the maximum number of submissions has been reached. The system submits the stored files when the hindering condition has passed.

The device stores files either on its hard drive or malware storage pack. See also Malware Storage Pack (8000-Series Devices Only).

Captured Files and File Storage

The file storage feature allows you to capture selected files detected in traffic, and automatically store a copy of the file temporarily to a device’s hard drive or, if installed, to the malware storage pack.

After your device captures the files, you can:

Store captured files on the device’s hard drive for later analysis.
Download the stored file to a local computer for further manual analysis or archival purposes.
Submit captured files for AMP cloud lookup or dynamic analysis.

Note that once a device stores a file, it will not re-capture it if the file is detected in the future and the device still has that file stored.

Note

When a file is detected for the first time on your network, you can generate a file event that represents the file’s detection. However, if your file rule performs a malware cloud lookup, the system requires additional time to query the AMP cloud and return a disposition. Due to this delay, the system cannot store this file until the second time it is seen on your network, and the system can immediately determine the file’s disposition.

Whether the system captures or stores a file, you can:

Review information about the captured file from Analysis > Files > Captured Files, including whether the file was stored or submitted for dynamic analysis, file disposition, and threat score, allowing you to quickly review possible malware threats detected on your network.
View the file’s trajectory to determine how it traversed your network and which hosts have a copy.
Add the file to the clean list or custom detection list to always treat the file as if it had a clean or malware disposition on future detection.

You configure file rules in a file policy to capture and store files of a specific type, or with a particular file disposition, if available. After you associate the file policy with an access control policy and deploy it to your devices, matching files in traffic are captured and stored. You can also limit the minimum and maximum file sizes to store.

Stored files are not included in system backups.

You can view captured file information under Analysis > Files > Captured Files, and download a copy for offline analysis.

Malware Storage Pack (8000-Series Devices Only)

Based on your file policy configuration, your device may store a substantial amount of file data to the hard drive. You can install a malware storage pack in the device; the system stores files to the malware storage pack, allowing more room on the primary hard drive to store events and configuration files. The system periodically deletes older files. If the device's primary hard drive does not have enough available space, and does not have an installed malware storage pack, you cannot store files.

Caution

Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase only from Cisco, and are for use only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the Firepower System Malware Storage Pack Guide for more information.

Without a malware storage pack installed, when you configure a device to store files, it allocates a set portion of the primary hard drive’s space to captured file storage. If you configure capacity handling to temporarily store files for dynamic analysis, the system uses the same hard drive allocation to store these files until it can resubmit them to the cloud.

When you install a malware storage pack in a device and configure file storage or capacity handling, the device allocates the entire malware storage pack for storing these files. The device cannot store any other information on the malware storage pack.

When the allocated space for captured file storage fills to capacity, the system deletes the oldest stored files until the allocated space reaches a system-defined threshold. Based on the number of files stored, you may see a substantial drop in disk usage after the system deletes files.

If a device has already stored files when you install a malware storage pack, the next time you restart the device, any captured files or capacity handling files stored on the primary hard drive are moved to the malware storage pack. Any future files the device stores are stored to the malware storage pack.

Creating File Rules


Smart License	Classic License	Supported Devices	Supported Domains	Access
Threat (file control) Malware (AMP for Networks)	Protection (file control) Malware (AMP for Networks)	Any	Any	Admin/Access Admin

Caution

Selecting Detect Files or Block Files, enabling or disabling Store files in a Detect Files or Block Files rule, or adding the first or removing the last file rule that combines the Malware Cloud Lookup or Block Malware file rule action with an analyis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on how the target device handles traffic. See Snort® Restart Traffic Behavior for more information.

Before you begin

If you are configuring rules for malware protection, see Configure Policies to Detect and Handle Malware.

Procedure

Step 1

In the file policy editor, click Add File Rule.

Step 2

Select an Application Protocol and Direction of Transfer as described in File Rule Components.

Step 3

Select one or more File Types.

The file types you see depend on the selected application protocol, direction of transfer, and action.

You can filter the list of file types in the following ways:

Select one or more File Type Categories, then click All types in selected Categories.
Search for a file type by its name or description. For example, type Windows in the Search name and description field to display a list of Microsoft Windows-specific files.

Tip

Hover your pointer over a file type to view its description.

Step 4

Select a file rule Action as described in File Rule Actions, with consideration for File Rule Actions: Evaluation Order.

The actions available to you depend on the licenses you have installed. See License Requirements for File and Malware Policies.

Step 5

Depending on the action you selected, configure options:

reset the connection after blocking the file
store files that match the rule
enable Spero analysis*
enable local malware analysis*
enable dynamic analysis* and capacity handling

* For information about these options, see File Rule Actions and Malware Protection Methods and its subtopics.

Step 6

Click Add.

Step 7

Click Save to save the policy.

What to do next

If you are configuring policies for malware protection, return to Configure Policies to Detect and Handle Malware.
Deploy configuration changes; see Deploy Configuration Changes.

Retrospective Disposition Changes

File dispositions can change. For example, as new information is discovered, the AMP cloud can determine that a file that was previously thought to be clean is now identified as malware, or the reverse—that a malware-identified file is actually clean. When the disposition changes for a file you queried in the past week, the AMP cloud notifies the system so it can automatically take action the next time it detects that file being transmitted. A changed disposition is called a retrospective disposition.

(Optional) Malware Protection with AMP for Endpoints

Cisco's AMP for Endpoints is a separate malware-protection product that can supplement malware protection provided by the Firepower system and be integrated with your Firepower deployment.

AMP for Endpoints is Cisco’s enterprise-class Advanced Malware Protection solution that runs as a lightweight connector on individual users' endpoints (computers and mobile devices) to discover, understand, and block advanced malware outbreaks, advanced persistent threats, and targeted attacks.

Benefits of AMP for Endpoints include:

configure custom malware detection policies and profiles for your entire organization, as well as perform flash and full scans on all your users’ files
perform malware analysis, including view heat maps, detailed file information, network file trajectory, and threat root causes
configure multiple aspects of outbreak control, including automatic quarantines, application blocking to stop non-quarantined executables from running, and exclusion lists
create custom protections, block execution of certain applications based on group policy, and create custom whitelists
use the AMP for Endpoints management console to help you mitigate the effect of malware. The management console provides a robust, flexible web interface where you control all aspects of your AMP for Endpoints deployment and manage all phases of an outbreak.

For detailed information about AMP for Endpoints, see:

https://www.cisco.com/c/en/us/products/security/amp-for-endpoints/index.html.
Online help in the AMP for Endpoints management console.
AMP for Endpoints documentation available from: http://docs.amp.cisco.com.

Comparison of Malware Protection: Firepower vs. AMP for Endpoints

Table 4. Advanced Malware Protection Differences by Detecting Product
Feature	Firepower Malware Protection (AMP for Networks)	AMP for Endpoints
File type detection and blocking method (file control)	In network traffic, using access control and file policies	Not supported
Malware detection and blocking method	In network traffic, using access control and file policies	On individual endpoints (end-user computers and mobile devices), using a connector that communicates with the AMP cloud
Network traffic inspected	Traffic passing through a managed device	None; connectors installed on endpoints directly inspect files
Malware intelligence data source	AMP cloud (public or private)	AMP cloud (public or private)
Malware detection robustness	Limited file types	All file types
Malware analysis choices	FMC-based, plus analysis in the AMP cloud	FMC-based, plus additional options on the AMP for Endpoints management console
Malware mitigation	Malware blocking in network traffic, FMC-initiated remediations	AMP for Endpoints-based quarantine and outbreak control options, FMC-initiated remediations
Events generated	File events, captured files, malware events, and retrospective malware events	Malware events
Information in malware events	Basic malware event information, plus connection data (IP address, port, and application protocol)	In-depth malware event information; no connection data
Network file trajectory	FMC-based	FMC and the AMP for Endpoints management console each have a network file trajectory. Both are useful.
Required licenses or subscriptions	Licenses required to perform file control and AMP for Networks	AMP for Endpoints subscription. No license is required to bring AMP for Endpoints data into FMC.

About Integrating Firepower with AMP for Endpoints

If your organization has deployed AMP for Endpoints, you can optionally integrate that product with your Firepower deployment.

Integration with AMP for Endpoints does not require a dedicated Firepower license.

Benefits of Integrating Firepower and AMP for Endpoints

Integrating your AMP for Endpoints deployment with your Firepower system offers the following benefits:

The system can import malware events detected by AMP for Endpoints into Firepower Management Center so you can manage these events along with malware events generated by the Firepower system. Imported data for these events includes scans, malware detections, quarantines, blocked executions, and cloud recalls, as well as indications of compromise (IOCs) that FMC displays for hosts that it monitors.

For more information, see Malware Event Analysis with AMP for Endpoints.

Important

If you use a Cisco AMP Private Cloud, see limitations at AMP for Endpoints and AMP Private Cloud.

AMP for Endpoints and AMP Private Cloud

If you configure a Cisco AMP private cloud to collect AMP endpoint data on your network, all AMP for Endpoints connectors send data to the private cloud, which forwards that data to the Firepower Management Center. The private cloud does not share any of your endpoint data over an external connection.

You can configure multiple private clouds to support the capacity you require.

Integrate Firepower and AMP for Endpoints


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	Any	Any	Any	Admin

If your organization has deployed Cisco's AMP for Endpoints product, you can integrate that application with Firepower to achieve the benefits described in Benefits of Integrating Firepower and AMP for Endpoints.

When you integrate with AMP for Endpoints, you must configure an AMP for Endpoints connection even if you already have an AMP for Networks (AMP for Firepower) connection configured. You can configure multiple AMP for Endpoints cloud connections.

Caution

In a multidomain deployment, configure AMP for Endpoints connections at the leaf level only, especially if your leaf domains have overlapping IP space. If multiple subdomains have hosts with the same IP-MAC address pair, the system could save malware events that are generated by AMP for Endpoints to the wrong leaf domain, or associate IOCs with the wrong hosts.

However, you can configure AMP for Endpoints connections at any domain level, provided you use a separate AMP for Endpoints account for each connection. For example, each client of an MSSP might have its own AMP for Endpoints deployment.

Note

An AMP for Endpoints connection that has not registered successfully does not affect AMP for Networks.

Before you begin

If your deployment uses Cisco AMP Private Cloud, see limitations at AMP for Endpoints and AMP Private Cloud.
AMP for Endpoints must be set up and working properly on your network.
The Firepower Management Center must have direct access to the Internet.
Make sure your FMC and AMP for Endpoints can communicate with each other. See the topics under Security, Internet Access, and Communication Ports.
If you are connecting to the AMP cloud after either restoring your Firepower Management Center to factory defaults or reverting to a previous version, use the AMP for Endpoints management console to remove the previous connection.
You will need your AMP for Endpoints credentials to log in to the AMP for Endpoints console during this procedure.

Procedure

Step 1	Choose AMP > AMP Management.
Step 2	Click Add AMP Cloud Connection.
Step 3	From the Cloud Name drop-down list, choose the cloud you want to use: The AMP cloud closest to the geographical location of your Firepower Management Center. For AMP private cloud (AMPv), choose Private Cloud and proceed as described in Cisco AMP Private Cloud.
Step 4	If you want to use this cloud for both AMP for Networks and AMP for Endpoints, select the Use for AMP for Firepower check box. If you configured a different cloud to handle AMP for Networks (AMP for Firepower) communications, you can clear this check box; if this is your only AMP cloud connection, you cannot. In a multidomain deployment, this check box appears only in the Global domain. Each Firepower Management Center can have only one AMP for Networks connection.
Step 5	Click Register. A spinning state icon indicates that a connection is pending, for example, after you configure a connection on the Firepower Management Center, but before you authorize it using the AMP for Endpoints management console. A failed or denied icon () indicates that the cloud denied the connection or the connection failed for another reason.
Step 6	Confirm that you want to continue to the AMP for Endpoints management console, then log into the management console.
Step 7	Using the management console, authorize the AMP cloud to send AMP for Endpoints data to the Firepower Management Center.
Step 8	If you want to restrict the data that the FMC receives, select specific groups within your organization for which you want to receive information. By default, the AMP cloud sends data for all groups. To manage groups, choose Management > Groups on the AMP for Endpoints management console. For detailed information, see the management console online help.
Step 9	Click Allow to enable the connection and start the transfer of data. Clicking Deny returns you to the Firepower Management Center, where the connection is marked as denied. If you navigate away from the Applications page on the AMP for Endpoints management console, and neither deny nor allow the connection, the connection is marked as pending on the Firepower Management Center’s web interface. The health monitor does not alert you of a failed connection in either of these situations. If you want to connect to the AMP cloud later, delete the failed or pending connection, then recreate it. Incomplete registration of an AMP for Endpoints connection does not disable the AMP for Networks connection.
Step 10	To verify that the connection is correctly configured: On the AMP > AMP Management page, click the Cloud Name that includes `AMP for Endpoints` in the Cisco AMP Solution Type column. In the AMP for Endpoints console window that displays, choose Accounts > Applications. Verify that your Firepower Management Center is on the list. In the AMP for Endpoints console window, choose Manage > Computers. Verify that your Firepower Management Center is on the list.

What to do next

In the AMP for Endpoints console window, configure settings as needed. For example, define group membership for your management center and assign policies. For information, see the AMP for Endpoints online help or other documentation.
The default health policy warns you if the Firepower Management Center cannot connect to the AMP for Endpoints portal after an initial successful connection, or if the connection is deregistered using the AMP portal.

Verify that the AMP for Endpoints Status monitor is enabled under System > Health > Policy.

History for the File and Malware Chapter


Feature	Version	Details
Chapter restructure	any version that is republished	Restructured this chapter's content to reduce confusion. Some content was moved to or from the chapter for File/Malware Events and Network File Trajectory.
Moved URL Filtering information to the new URL Filtering chapter	6.3	Moved information about configuring cloud communications for URL Filtering to the new URL Filtering chapter. Made related changes to the structure of the Cisco CSI topics in the chapter.

Firepower Management Center Configuration Guide, Version 6.0

Bias-Free Language

Results

Chapter: File Policies and Advanced Malware Protection

File Policies and Advanced Malware Protection

About File Policies and Advanced Malware Protection

Malware Protection Methods

Spero Analysis

AMP Cloud Lookup

Local Malware Analysis

Cached Disposition Longevity

Dynamic Analysis

Which Files Are Eligible for Dynamic Analysis?

Block All Files by Type

Comparison of Malware Protection Methods

License Requirements for File and Malware Policies

How to Configure Malware Protection

Procedure

What to do next

Plan and Deploy Products and Licenses for Malware Protection

Procedure

What to do next

Configure Policies to Detect and Handle Malware

Before you begin

Procedure

What to do next

Arrange Ongoing Maintenance and Monitoring of Malware Protection

Before you begin

Procedure

What to do next

Cloud Connections for Malware Protection

AMP Clouds

Dynamic Analysis Cloud

Configure Connections to AMP and Threat Grid Clouds

AMP Cloud Connection Configurations

Requirements and Guidelines for AMP Cloud Connections

Requirements for AMP Cloud Connections

AMP Cloud Connections and Multitenancy

Choose an AMP Cloud

Before you begin

Procedure

What to do next

Cisco AMP Private Cloud

Connecting to an AMP Private Cloud

Before you begin

Procedure

Managing Connections to the AMP Cloud (Public or Private)

Procedure

Change AMP Options

Procedure

Dynamic Analysis Connections

Requirements for Dynamic Analysis

Viewing the Default Dynamic Analysis Connection

Procedure

Dynamic Analysis On-Premises Appliance (Cisco Threat Grid)

Connect to an On-Premises Dynamic Analysis Appliance

Before you begin

Procedure

Maintain Your System: Update File Types Eligible for Dynamic Analysis

Procedure

Cisco Security Intelligence Clouds

File Policies and File Rules

File Policy and File Rule Guidelines and Limitations

File Rule Configuration Guidelines and Limitations

File Detection Notes and Limitations

File Blocking Notes and Limitations

File Policy General Guidelines and Limitations

File Policies

Managing File Policies

Procedure

Creating a File Policy

Before you begin

Procedure

What to do next

Advanced and Archive File Inspection Options

Archive Files

Archive Files That Can Be Inspected

Archive File Dispositions

Viewing Archive Contents and Details

Override File Disposition Using Custom Lists