Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

AMP | How to block malware in sourcefire

Hello, we have configured the Antimalware policy to block malware, but when we do a test of antimalware test download from the below site, it gives an option to save the file in internet explorer, the antimalware is not blocking. it should not give an option to save.

10 REPLIES
Cisco Employee

Re: AMP | How to block malware in sourcefire

Hello Edwin

How do you set the policy for the same ? Is it in audit mode or quarantine ? Also please provide the link where you have downloaded the same so that we can try to check the same.

Regards
Jetsy
Community Member

Re: AMP | How to block malware in sourcefire

set the policy as block malware

 

http://www.eicar.org/85-0-Download.html

 

 

Cisco Employee

Re: AMP | How to block malware in sourcefire

Hello Edwin

Just to clarify are you referring to to the AMP endpoints or Network AMP here ?

Regards
Jetsy
Community Member

Re: AMP | How to block malware in sourcefire

Network AMP

Community Member

Re: AMP | How to block malware in sourcefire

please find the attached config snaps from FMC for the malware block

Cisco Employee

Re: AMP | How to block malware in sourcefire

Hi Edwin,

 

The rule looks correct. I would suggest to check the connection events first to find which rule the traffic is hitting on the firepower.

Check analysis>events>connections and table view of connections and search for your test client IP.

See if it actually hits the AMPPOLICY rule or no.

If it hits that, then please make sure you download the test malware using http connection and not https.

https require SSL decryption. You can also create a test rule to block something (like URL or IP) to check if it actually works. If its ASA with SFR module, check if the module(service -policy)  is configured in inline mode or passive (monitor-only)

 

Hope it helps,

Yogesh

Highlighted
Community Member

Re: AMP | How to block malware in sourcefire

the config is inline mode as below

 

class-map sfr
 match access-list sfr_redirect
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ip-options
 class sfr
  sfr fail-open
!

Cisco Employee

Re: AMP | How to block malware in sourcefire

Config seems correct from ASA redirection point of view. Please check the firewall-engine-debug from CLI or connection events and find which rule the traffic hits.

 

Community Member

Re: AMP | How to block malware in sourcefire

The images shows that, the server antivirus kaspersky is blocking malware, but asa is not blocking

Cisco Employee

Re: AMP | How to block malware in sourcefire

Hi

I would suggest to open TAC case for further investigation.

 

213
Views
0
Helpful
10
Replies
CreatePlease to create content