A Malware license allows you to perform Cisco
Advanced Malware Protection (AMP) with AMP for Firepower and AMP
Threat Grid. You can use managed devices to detect and
block malware in files transmitted over your network. To enable a Malware license,
you must also enable Protection. You can purchase a Malware license as a
subscription combined with Threat & Apps (TAM) or Threat & Apps and URL
Filtering (TAMC) subscriptions, or as an add-on subscription (AMP) for a system
where Threat & Apps (TA) is already enabled.
and 8000 Series
managed devices with Malware licenses enabled attempt to connect periodically
to the AMP cloud even if you have not configured dynamic analysis. Because of
this, the device’s Interface Traffic dashboard widget shows transmitted
traffic; this is expected behavior.
You configure AMP for Firepower as part of a file policy, which
you then associate with one or more access control rules. File policies can
detect your users uploading or downloading files of specific types over
specific application protocols. AMP for Firepower allows you to use local
malware analysis and file preclassification to inspect a restricted set of
those file types for malware. You can also download and submit specific file
types to the
cloud for dynamic and Spero analysis to determine whether they contain malware.
For these files, you can view the network file trajectory, which details the
path the file has taken through your network. The Malware license also allows
you to add specific files to a file list and enable the file list within a file
policy, allowing those files to be automatically allowed or blocked on
Before you can deploy an access control policy that includes AMP
for Firepower configurations, you
must add a Malware license, then enable it on the devices
targeted by the policy. If you later disable the license on the devices, you
cannot re-deploy the existing access control policy to those devices.
If you delete all your Malware licenses or they all expire, the
system stops querying the AMP cloud, and also stops acknowledging retrospective
events sent from the AMP cloud. You cannot re-deploy existing access control
policies if they include AMP for Firepower configurations. Note that for a very
brief time after a Malware license expires or is deleted, the system can use
existing cached file dispositions. After the time window expires, the system
assigns a disposition of
Unavailable to those files.
A Malware license is required only if you deploy AMP for
Without a Malware license, the
can receive AMP for Endpoints malware events and indications of compromise
(IOC) from the AMP cloud.