hapter: File Policies and Malware Protection

Chapter Contents

The following topics provide an overview of file control, file policies, file rules, Advanced
Malware Protection (AMP), cloud connections, and dynamic analysis connections.

 About File Policies and Advanced Malware Protection

 Requirements and Prerequisites for File Policies
 License Requirements for File and Malware Policies
 Best Practices for File Policies and Malware Detection
 How to Configure Malware Protection
 Cloud Connections for Malware Protection
 File Policies and File Rules
 Retrospective Disposition Changes
 (Optional) Malware Protection with AMP for Endpoints
 History for File Policies and Malware Protection
About File Policies and Advanced Malware Protection
To detect and block malware, use file policies. You can also use file policies to detect and
control traffic by file type.

Advanced Malware Protection (AMP) for Firepower can detect, capture, track, analyze, log, and
optionally block the transmission of malware in network traffic. In the Firepower Management
Center web interface, this feature is called AMP for Networks, formerly called AMP for
Firepower. Advanced Malware Protection identifies malware using managed devices deployed
inline and threat data from the Cisco cloud.

You associate file policies with access control rules that handle network traffic as part of your
overall access control configuration.

When the system detects malware on your network, it generates file and malware events. To
analyze file and malware event data, see File/Malware Events and Network File Trajectory.
 File Policies
File Policies

A file policy is a set of configurations that the system uses to perform malware protection and
file control, as part of your overall access control configuration. This association ensures that
before the system passes a file in traffic that matches an access control rule’s conditions, it first
 inspects the file. Consider the following diagram of a simple access control policy in an inline
deployment.

The policy has two access control rules, both of which use the Allow action and are associated
with file policies. The policy’s default action is also to allow traffic, but without file policy
inspection. In this scenario, traffic is handled as follows:

 Traffic that matches Rule 1 is inspected by File Policy A.

 Traffic that does not match Rule 1 is evaluated against Rule 2. Traffic that matches Rule 2 is
inspected by File Policy B.
 Traffic that does not match either rule is allowed; you cannot associate a file policy with the
default action.

By associating different file policies with different access control rules, you have granular
control over how you identify and block files transmitted on your network.

Requirements and Prerequisites for File Policies

Model Support
Any

Supported Domains
Any
User Roles
 Admin
 Access Admin
License Requirements for File and Malware Policies
 To Do This License Required File Rule Action

Block or allow all files of a particular type Threat (for FTD Allow, Block, Block with
(for example, block all .exe files) devices) Reset
Protection (for
Classic devices)
Selectively allow or block files based on a Threat (for FTD Malware Cloud Lookup,
judgment that it contains or is likely to devices) Block Malware
contain malware Protection (for
Classic devices)
Malware

Store files Threat (for FTD Any file rule action

devices) with Store Files selected

Protection (for
Classic devices)
Malware

For details about Malware licenses, see:

 Malware Licenses for Firepower Threat Defense Devices

 Malware Licenses for Classic Devices
Best Practices for File Policies and Malware Detection
In addition to the items described below, follow the steps in How to Configure Malware
Protection and referenced topics.
 File Rule Best Practices
 File Detection Best Practices
 File Blocking Best Practices
 File Policy Best Practices
File Rule Best Practices
Note the following guidelines and limitations when configuring file rules:

 A rule configured to block files in a passive deployment does not block matching files. Because
the connection continues to transmit the file, if you configure the rule to log the beginning of the
connection, you may see multiple events logged for this connection.
 A policy can include multiple rules. When you create the rules, ensure that no rule is "shadowed"
by a previous rule.
 The file types supported for dynamic analysis are a subset of the file types supported for other
types of analysis. To view the file types supported for each type of analysis, navigate to the file
rule configuration page, select the Block Malware action, and select the checkboxes of interest.

To ensure that the system examines all file types, create separate rules (within the same policy)
for dynamic analysis and for other types of analysis.

 If a file rule is configured with a Malware Cloud Lookup or Block Malware action and
the Firepower Management Center cannot establish connectivity with the AMP cloud, the system
cannot perform any configured rule action options until connectivity is restored.
 Cisco recommends that you enable Reset Connection for the Block Files and Block
Malware actions to prevent blocked application sessions from remaining open until the TCP
connection resets. If you do not reset connections, the client session will remain open until the
TCP connection resets itself.
 If you are monitoring high volumes of traffic, do not store all captured files, or submit all
captured files for dynamic analysis. Doing so can negatively impact system performance.
 You cannot perform malware analysis on all file types detected by the system. After you select
values from the Application Protocol, Direction of Transfer, and Action drop-down lists, the
system constrains the list of file types.
File Detection Best Practices
Consider the following notes and limitations for file detection:

 If adaptive profiling is not enabled, access control rules cannot perform file control, including
AMP.
 If a file matches a rule with an application protocol condition, file event generation occurs after
the system successfully identifies a file’s application protocol. Unidentified files do not generate
file events.
 FTP transfers commands and data over different channels. In a passive or inline tap mode
deployment, the traffic from an FTP data session and its control session may not be load-
balanced to the same internal resource.
 If the total number of bytes for all file names for files in a POP3, POP, SMTP, or IMAP session
exceeds 1024, file events from the session may not reflect the correct file names for files that
were detected after the file name buffer filled.
 When transmitting text-based files over SMTP, some mail clients convert newlines to the CRLF
newline character standard. Since Mac-based hosts use the carriage return (CR) character and
Unix/Linux-based hosts use the line feed (LF) character, newline conversion by the mail client
can modify the size of the file. Note that some mail clients default to newline conversion when
processing an unrecognizable file type.
 To detect ISO files, set the "Limit the number of bytes inspected when doing file type detection"
option to a value greater than 36870, as described in File and Malware Inspection Performance
and Storage Options.
 .Exe files inside some .rar archives cannot be detected, including possibly rar5.

File Blocking Best Practices

Consider the following notes and limitations for file blocking:

 If an end-of-file marker is not detected for a file, regardless of transfer protocol, the file will not
be blocked by a Block Malware rule or the custom detection list. The system waits to block the
file until the entire file has been received, as indicated by the end-of-file marker, and blocks the
file after the marker is detected.
 If the end-of-file marker for an FTP file transfer is transmitted separately from the final data
segment, the marker will be blocked and the FTP client will indicate that the file transfer failed,
but the file will actually completely transfer to disk.
 File rules with Block Files and Block Malware actions block automatic resumption of file
download via HTTP by blocking new sessions with the same file, URL, server, and client
application detected for 24 hours after the initial file transfer attempt occurs.
 In rare cases, if traffic from an HTTP upload session is out of order, the system cannot
reassemble the traffic correctly and therefore will not block it or generate a file event.
 If you transfer a file over NetBIOS-ssn (such as an SMB file transfer) that is blocked with
a Block Files rule, you may see a file on the destination host. However, the file is unusable
because it is blocked after the download starts, resulting in an incomplete file transfer.
 If you create file rules to detect or block files transferred over NetBIOS-ssn (such as an SMB file
transfer), the system does not inspect files transferred in an established TCP or SMB session
started before you deploy an access control policy invoking the file policy so those files will not
be detected or blocked.
 If you configure Firepower Threat Defense high availability, and failover occurs while the
original active device is identifying the file, the file type is not synced. Even if your file policy
blocks that file type, the new active device downloads the file.

File Policy Best Practices

Note the following general guidelines and limitations when configuring file policies.

 You can associate a single file policy with an access control rule whose action
is Allow, Interactive Block, or Interactive Block with reset.
 You cannot use a file policy to inspect traffic handled by the access control default action.
 For a new policy, the web interface indicates that the policy is not in use. If you are editing an in-
use file policy, the web interface tells you how many access control policies use the file policy.
In either case, you can click the text to jump to the Access Control Policies page.
 For file blocking to work, the NAP policy you apply to the access control policy must be
operating in Protection mode, also known as Inline mode.
 Based on your configuration, you can either inspect a file the first time the system detects it, and
wait for a cloud lookup result, or pass the file on this first detection without waiting for the cloud
lookup result.
 By default, file inspection of encrypted payloads is disabled. This helps reduce false positives
and improve performance when an encrypted connection matches an access control rule that has
file inspection configured.

How to Configure Malware Protection

This topic summarizes the steps you must take to set up your Firepower system to protect your
network from malicious software.

Procedure

Step 1 Plan and Prepare for Malware Protection

Step 2 Configure File Policies
Step 3 Add File Policies to Your Access Control Configuration
Step 4 Configure network discovery policies to associate file and malware events with hosts
on your network.
(Do not simply turn on network discovery; you must configure it to discover hosts on
your network to build a network map of your organization.)
See Network Discovery Policies and subtopics.
Step 5 Deploy policies to managed devices.
See Deploy Configuration Changes.
Step 6 Test your system to be sure it is processing malicious files as you expect it to.
Step 7 Set Up Maintenance and Monitoring of Malware Protection

What to do next
 (Optional) To further enhance detection of malware in your network, deploy and integrate
Cisco's AMP for Endpoints product. See (Optional) Malware Protection with AMP for
Endpoints and subtopics.
 Understand how to investigate file and malware events.

See File/Malware Events and Network File Trajectory.

 Plan and Prepare for Malware Protection
 Configure File Policies
 Add File Policies to Your Access Control Configuration
 Set Up Maintenance and Monitoring of Malware Protection
Plan and Prepare for Malware Protection
This procedure is the first set of steps in the complete process for configuring your system to
provide malware protection.
Procedure

Step 1 Purchase and install licenses.

See License Requirements for File and Malware Policies and Licensing the Firepower
System.
Step 2 Understand how file policies and malware protection fit into your access control plan.
See the chapter Understanding Access Control.
Step 3 Understand the file analysis and malware protection tools.
See File Rule Actions and subtopics.
Consider also Advanced and Archive File Inspection Options.
Step 4 Determine whether you will use public clouds or private (on-premises) clouds for
malware protection (file analysis and dynamic analysis.)
See Cloud Connections for Malware Protection and subtopics.
Step 5 If you will use private (on-premises) clouds for malware protection: Purchase,
deploy, and test those products.
For information, contact your Cisco sales representative or authorized reseller.
Step 6 Configure your firewall to allow communications with your chosen clouds.
See Security, Internet Access, and Communication Ports.

Step 7 Configure connections between Firepower and the malware protection clouds (public
or private).
For the AMP cloud, see Change AMP Options.
If you deployed an on-premises Cisco Threat Grid appliance, see Connect to an On-
 Premises Dynamic Analysis Appliance. (Access to the public Threat Grid cloud does
not require configuration.)

What to do next

Continue with the next step in the malware protection workflow:

See How to Configure Malware Protection.

Configure File Policies
Before you begin

Complete the tasks up to this point in the malware protection workflow:

See How to Configure Malware Protection.

Procedure

Step 1 Review file policy and file rule restrictions.

See Best Practices for File Policies and Malware Detection and subtopics.
Step 2 Create a file policy.

See Create or Edit a File Policy.

Step 3 Create rules within your file policy.

See File Rules and subtopics.

Step 4 Configure advanced options.

See Advanced and Archive File Inspection Options.

What to do next

Continue with the next step in the malware protection workflow:

See How to Configure Malware Protection.

Add File Policies to Your Access Control Configuration
An access control policy can have multiple access control rules associated with file policies. You
can configure file inspection for any Allow or Interactive Block access control rule, which
permits you to match different file and malware inspection profiles against different types of
traffic on your network before it reaches its final destination.
Before you begin
 Complete the tasks up to this point in the malware protection workflow:

See How to Configure Malware Protection.

Procedure

Step 1 Review guidelines for file policies in access control policies. (These are different
from the file rule and file policy guidelines that you looked at previously.)
Review File and Intrusion Inspection Order.
Step 2 Associate the file policy with an access control policy.
See Configuring an Access Control Rule to Perform Malware Protection
Step 3 Assign the access control policy to managed devices.
See Setting Target Devices for an Access Control Policy.

What to do next

Continue with the next step in the malware protection workflow:

See How to Configure Malware Protection.

 Configuring an Access Control Rule to Perform Malware Protection
Configuring an Access Control Rule to Perform Malware Protection

Caution Selecting Detect Files or Block Files, enabling or disabling Store files in a Detect
Files or Block Files rule, or adding the first or removing the last file rule that
combines the Malware Cloud Lookup or Block Malware file rule action with an
analyis option (Spero Analysis or MSEXE, Dynamic Analysis, or Local Malware
Analysis) or a store files option (Malware, Unknown, Clean, or Custom), restarts
the Snort process when you deploy configuration changes, temporarily interrupting
traffic inspection. Whether traffic drops during this interruption or passes without
further inspection depends on how the target device handles traffic. See Snort®
Restart Traffic Behavior for more information.

Note Inline normalization is enabled automatically when a file policy is included in an

access control rule. For more information, see The Inline Normalization
Preprocessor.
 Before you begin

 Adaptive profiling must be enabled (its default state) as described in Configuring Adaptive
Profiles for access control rules to perform file control, including AMP.
 You must be an Admin, Access Admin, or Network Admin user to perform this task.
Procedure

Step 1 In the access control rule editor (from Policies > Access Control), choose
an Action of Allow, Interactive Block, or Interactive Block with reset.
Step 2 Click Inspection.
Step 3 Choose a File Policy to inspect traffic that matches the access control rule, or
choose None to disable file inspection for matching traffic.
Step 4 (Optional) Disable logging of file or malware events for matching connections by
clicking Logging and unchecking Log Files.
Not Cisco recommends that you leave file and malware event logging enabled.
e

Step 5 Save the rule.

Step 6 Click Save to save the policy.

What to do next

 Deploy configuration changes; see Deploy Configuration Changes.

Related Concepts
Snort® Restart ScenariosRelated Tasks
Create or Edit a File Policy

Set Up Maintenance and Monitoring of Malware Protection

Ongoing maintenance is essential for protecting your network.
Before you begin

Configure your system to protect your network from malware.

See How to Configure Malware Protection and referenced procedures.

Procedure
 Step 1 Ensure that your system always has the most current and effective protection.
See Maintain Your System: Update File Types Eligible for Dynamic Analysis.
Step 2 Configure alerts for malware-related events and health monitoring.
See Configuring AMP for Networks Alerting and information in Health
Monitoring about the following modules:
Local Malware Analysis
Security Intelligence
Intrusion and File Event Rate
AMP for Firepower Status
AMP for Endpoints Status

What to do next

Review "What to do next items" in the malware protection workflow:

See How to Configure Malware Protection.

Cloud Connections for Malware Protection
Connections to public or private clouds are required in order to protect your network from
malware.

AMP Clouds
The Advanced Malware Protection (AMP) cloud is a Cisco-hosted server that uses big data
analytics and continuous analysis to provide intelligence that the system uses to detect and block
malware on your network.

The AMP cloud provides dispositions for possible malware detected in network traffic by
managed devices, as well as data updates for local malware analysis and file pre-classification.

If your organization has deployed AMP for Endpoints and configured Firepower to import its
data, the system imports this data from the AMP cloud, including scan records, malware
detections, quarantines, and indications of compromise (IOC).

Cisco offers the following options for obtaining data from the Cisco cloud about known malware
threats:

 AMP public cloud

Your Firepower Management Center communicates directly with the public Cisco cloud.
 An AMP private cloud
 An AMP private cloud is deployed on your network and acts as a compressed, on-premises AMP
cloud, as well as an anonymized proxy to connect to the public AMP cloud. For details,
see Cisco AMP Private Cloud.
Dynamic Analysis Cloud
 Cisco Threat Grid cloud
Public cloud that processes eligible files that you send for dynamic analysis, and provides threat
scores and dynamic analysis reports. Firepower supports 200 samples/day for Cisco Threat
Grid analysis.
 On-premises Cisco Threat Grid appliance
If your organization's security policy does not allow the Firepower System to send files outside
of your network, you can deploy an on-premises appliance. This appliance does not contact the
public Cisco Threat Grid cloud.
For more information, see Dynamic Analysis On-Premises Appliance (Cisco Threat Grid).
Configure Connections to AMP and Threat Grid Clouds
 AMP Cloud Connection Configurations
 Dynamic Analysis Connections
 AMP Cloud Connection Configurations
 Dynamic Analysis Connections
AMP Cloud Connection Configurations

The following topics describe AMP cloud connection configurations for different scenarios:

 Choose an AMP Cloud

 Connecting to an AMP Private Cloud
 Integrate Firepower and AMP for Endpoints

The following topics are also relevant:

 Cisco AMP Private Cloud

 Requirements and Best Practices for AMP Cloud Connections
 Managing Connections to the AMP Cloud (Public or Private)
 Requirements and Best Practices for AMP Cloud Connections
 Choose an AMP Cloud
 Cisco AMP Private Cloud
 Managing Connections to the AMP Cloud (Public or Private)
 Change AMP Options
Requirements and Best Practices for AMP Cloud Connections
Requirements for AMP Cloud Connections

You must be an Admin user to set up the AMP cloud.

 To ensure your FMC can communicate with the AMP cloud, see the topics under Security,
Internet Access, and Communication Ports.
To use the legacy port for AMP communications, see Communication Port Requirements.
AMP and High Availability

Although they share file policies and related configurations, Firepower Management Centers in a
high availability pair share neither cloud connections nor captured files, file events, and malware
events. To ensure continuity of operations, and to ensure that detected files’ malware
dispositions are the same on both Firepower Management Centers, both Active and
Standby Firepower Management Centers must have access to the cloud.

In high availability configurations, you must configure AMP cloud connections independently on
the Active and Standby instances of the Firepower Management Center; these configurations are
not synchronized.

These requirements apply to both public and private AMP clouds.

AMP Cloud Connections and Multitenancy

In a multidomain deployment, you configure the AMP for Networks connection at the Global
level only. Each Firepower Management Center can have only one AMP for
Networks connection.
Choose an AMP Cloud
By default, a connection to the United States (US) AMP public cloud is configured and enabled
for your Firepower system. (This connection appears in the web interface as AMP for
Networks and sometimes AMP for Firepower.) You cannot delete or disable an AMP for
Networks cloud connection, but you can switch between different geographical AMP clouds, or
configure an AMP private cloud connection.
Before you begin

 If you will use an AMP private cloud, see Connecting to an AMP Private Cloud instead of this
topic.
 Unless Firepower is integrated with AMP for Endpoints, you can configure only one AMP cloud
connection. This connection is labeled AMP for Networks or AMP for Firepower.
 If you have deployed AMP for Endpoints and you want to add one or more AMP clouds to
integrate that application with Firepower, see Integrate Firepower and AMP for Endpoints.
 See Requirements and Best Practices for AMP Cloud Connections.
Procedure