This blog is to help explain the steps for setting up Anti-Malware Protection (AMP) on the Cisco Security Management Server. The point of AMP is to stop malicious files from being downloaded or sent to an internal user on the network. When a user attempts to download a malicious file, AMP will detect and prevent the download.
Some assumptions for this write up:
The setup here was done on Cisco Firepower Management Center for VMWare. The version shown is 6.2.0 (build 362). The firewall being managed is a Cisco ASA 5516 running Firepower 6.2. Also for this write-up it is assumed that a base Access Policy is already running.
Setting Up Anti-Malware Protection
- Navigate to Policies > Access Control > Malware and File policy; this is done through the top menu bar.
- On the upper right hand side click the + for New File Policy.
- Set a name for the policy, example “Malware.Policy,” and press the Save button.
- Now you will need to decide if you want to automatically block archives you cannot inspect, which is safer but may anger your business users. Or you can decide not to block uninspectable archives, which is less safe but not as irksome for your users. Either way you can enact your decision in the advanced section. Go to the Advanced tab t the right of the rules tab. You will want to click the radio box for Inspect Archives. You may also want to Block Encrypted or Block Uninspectable Archives.
- Now click the Save button in the upper right-hand corner.
- Now click the Edit Policy (pencil button) on the right.
- Click on the Add Rule button on the upper right hand side
Interested in learning more about managing your security solutions? Contact us for a security assessment!
- Now setup a rule for local analysis: This is done by checking the following for settings for this rule (top to bottom, left to right):
- Application Protocol: Any
- Direction of Transfer: Any
- File Type Categories: Click all but the Dynamic Analysis Capable.
- Action: Block Malware (When you pick Block Malware, click the radio boxes for Spero Analysis for MSEXE, Local Malware Analysis, and Reset Connection)
- File Types: Select All and click the Add button.
- Store Files: Click on the Malware and Unknown radio checkboxes
- After all that, click the Save button at the bottom of the popup
- Now setup a second rule for Dynamic Analysis: Once again click the Add Rule button. Here are the setting for the Dynamic Analysis:
- Application Protocol: Any
- Direction of Transfer: Any
- File Type Categories: Click only the Dynamic Analysis Capable.
- Action: Block Malware (When you pick Block Malware, click all the radio boxes)
- File Types: Select All and click the Add button.
- Store Files: Click on the Malware and Unknown radio check boxes
- After all that, click the Save button at the bottom of the popup
- There should now be two rules in the Malware.Policy. One for inspecting all files it can locally and the second one for inspecting all files that are capable for dynamic analysis.
- Click the Save button in the right-hand corner.
- To apply this malware policy we need to go to the Access Policy. Note that in this article, we assumed that the access policy was already created and running. To get there you need to go to Policies > Access Control.
- Select the access control policy that is assigned to your devices and click the Edit Button (pencil) on the right-hand side.
- On the access policy, click Edit (pencil) on the default rule, or add a default rule under the Mandatory section. Go to the Inspection tab at the top of the popup.
- On the file policy use the drop down box to pick the Malware.Policy you created and click Save or Add (depending if you are modifying or creating the rule).
- Now Save the Access policy by clicking the Save button on the upper right-hand side.
- And Deploy the policy changes by clicking the Deploy button on the very upper right-hand side.
Once the policy is deployed, malware events can be seen under Analysis > Files > Malware Events. On the system I set this up on, it found a file trying to cross the firewall.
Hopefully this helped you to setup a base anti-malware policy and see the different spots where you can customize it for your business needs.
Jason Howe, PEI