Skip to main content

Setting up Anti-Malware Protection on the Cisco Security Management Server

By July 9, 2018September 18th, 2020Blog, Cisco, Networking, Security
Dynamic Analysis AMP Policy settings

This blog is to help explain the steps for setting up Anti-Malware Protection (AMP) on the Cisco Security Management Server.  The point of AMP is to stop malicious files from being downloaded or sent to an internal user on the network. When a user attempts to download a malicious file, AMP will detect and prevent the download.

Some assumptions for this write up:

The setup here was done on Cisco Firepower Management Center for VMWare.  The version shown is 6.2.0 (build 362).  The firewall being managed is a Cisco ASA 5516 running Firepower 6.2.  Also for this write-up it is assumed that a base Access Policy is already running.

Setting Up Anti-Malware Protection

  1. Navigate to Policies > Access Control > Malware and File policy; this is done through the top menu bar.Malware and File Policy
  2. On the upper right hand side click the + for New File Policy.New Anti-Malware File Policy Button
  3. Set a name for the policy, example “Malware.Policy,” and press the Save button.Cisco Security Management Server new file policy
  4. Now you will need to decide if you want to automatically block archives you cannot inspect, which is safer but may anger your business users. Or you can decide not to block uninspectable archives, which is less safe but not as irksome for your users. Either way you can enact your decision in the advanced section.  Go to the Advanced tab t the right of the rules tab. You will want to click the radio box for Inspect Archives. You may also want to Block Encrypted or Block Uninspectable Archives.Cisco Security Management Server advanced tabAdvanced Malware Protection Inspect Archives and Encryption options
  5. Now click the Save button in the upper right-hand corner.AMP Policy Save button
  6. Now click the Edit Policy (pencil button) on the right.edit AMP policy button
  7. Click on the Add Rule button on the upper right hand sideadd rule for local analysis and dynamic analysis button

Interested in learning more about managing your security solutions? Contact us for a security assessment!

  1. Now setup a rule for local analysis: This is done by checking the following for settings for this rule (top to bottom, left to right):
    • Application Protocol: Any
    • Direction of Transfer: Any
    • File Type Categories: Click all but the Dynamic Analysis Capable.
    • Action: Block Malware (When you pick Block Malware, click the radio boxes for Spero Analysis for MSEXE, Local Malware Analysis, and Reset Connection)
    • File Types: Select All and click the Add button.
    • Store Files: Click on the Malware and Unknown radio checkboxes
    • After all that, click the Save button at the bottom of the popupAMP local analyis rule settings
  2. Now setup a second rule for Dynamic Analysis: Once again click the Add Rule button. Here are the setting for the Dynamic Analysis:
    • Application Protocol: Any
    • Direction of Transfer: Any
    • File Type Categories: Click only the Dynamic Analysis Capable.
    • Action: Block Malware (When you pick Block Malware, click all the radio boxes)
    • File Types: Select All and click the Add button.
    • Store Files: Click on the Malware and Unknown radio check boxes
    • After all that, click the Save button at the bottom of the popupDynamic Analysis AMP Policy settings
  3. There should now be two rules in the Malware.Policy. One for inspecting all files it can locally and the second one for inspecting all files that are capable for dynamic analysis.Anti-Malware Protection Policy rules
  4. Click the Save button in the right-hand corner.
  5. To apply this malware policy we need to go to the Access Policy. Note that in this article, we assumed that the access policy was already created and running.  To get there you need to go to Policies > Access Control.Cisco Security Management Server Policies tab
  6. Select the access control policy that is assigned to your devices and click the Edit Button (pencil) on the right-hand side.edit access control policy
  7. On the access policy, click Edit (pencil) on the default rule, or add a default rule under the Mandatory section. Go to the Inspection tab at the top of the popup.Access Control Policy Inspection tab
  8. On the file policy use the drop down box to pick the Malware.Policy you created and click Save or Add (depending if you are modifying or creating the rule).add rule file policy
  9. Now Save the Access policy by clicking the Save button on the upper right-hand side.
  10. And Deploy the policy changes by clicking the Deploy button on the very upper right-hand side.AMP Policy deploy button

Once the policy is deployed, malware events can be seen under Analysis > Files > Malware Events. On the system I set this up on, it found a file trying to cross the firewall.

Anti-Malware Protection SummaryHopefully this helped you to setup a base anti-malware policy and see the different spots where you can customize it for your business needs.

Jason Howe, PEI

Further Reading on Cisco Security Management Policies:

GEO Location Blocking Policies

Stopping Employees from Sending Sensitive Data

Leave a Reply